The present disclosure relates generally to a multi-party cloud authenticator for authenticating one or more devices of a user in association with cloud computing services.
Cloud computing offers businesses cost-effective access to virtually unlimited computing power and storage, rather than the businesses purchasing and/or maintaining physical computing resources. As such, many businesses offer services that are performed at distributed and/or remote locations. Since many services include use of private information of a user, such as personal and/or financial information, security is critical for many services offered via cloud computing. However, the distributed nature of cloud computing can increase the complexity of security issues. Therefore, the increasing use of cloud computing by businesses warrants improved methods for customer protection.
The detailed description is set forth below with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The use of the same reference numbers in different figures indicates similar or identical items. In some cases, parentheticals are utilized after a reference number to distinguish like elements. Use of the reference number without the associated parenthetical is generic to the element. The systems depicted in the accompanying figures are not to scale and components within the figures may be depicted not to scale with each other.
This disclosure describes, at least in part, a method that may be implemented by a user device communicatively coupled to an intermediary device and/or a server device. In some examples, the intermediary device may represent a cloud authenticator. The server device may represent a remote, online service. The method may include registering a first user device with a user account of a user. Registering the first user device may include generating a primary first credential portion retained by the first user device and a primary second credential portion retained by the cloud authenticator, for example. The method may include registering a second user device with the user account of the user, including generating a secondary first credential portion based at least in part on the primary first credential portion and generating a secondary second credential portion based at least in part on the primary second credential portion, for example. The method may include receiving, from the first user device, a first request to authenticate the user account to an online service. Responsive to the first request, the method may include generating a first signature by participating in a first signing protocol between the cloud authenticator and the first user device. In some examples, the first signature may be based at least in part on the primary first credential portion, the primary second credential portion, and a credential identifier (ID) for the online service. The method may include sending the first signature to a remote device associated with the online service to authenticate the user account to the online service. Further, the method may include receiving, from the second user device, a second request to authenticate the user account to the online service. Responsive to the second request, the method may include generating a second signature by participating in a second signing protocol between the cloud authenticator and the second user device. In some examples, the second signature may be based at least in part on the secondary first credential portion, the secondary second credential portion, and the credential ID for the online service.
This disclosure also describes, at least in part, a method that may be implemented by a user device communicatively coupled to intermediary device and/or a server device. In some examples, the intermediary device may represent a cloud authenticator, while the server device may represent a remote, online service. The method may include communicating with a cloud authenticator to generate a primary first credential portion and a primary second credential portion associated with a user account at the cloud authenticator. The method may include receiving the primary first credential portion. The method may also include participating in a signing protocol with the cloud authenticator to generate a signature. In some examples, the signature may be based at least in part on the primary first credential portion and the primary second credential portion. At least partly in response to generating the signature, the method may include accessing an online service by the first user device. Further, the method may include communicating with the cloud authenticator and with a second user device to generate a secondary first credential portion and a secondary second credential portion associated with the user account at the cloud authenticator.
Additionally, the techniques described herein may be performed by a system and/or device having non-transitory computer-readable media storing computer-executable instructions that, when executed by one or more processors, performs the method described above.
This disclosure describes techniques for a cloud authenticator. A cloud authenticator may provide an interface through which a user may log in to an online service. The cloud authenticator may help the online service trust a user device of the user to allow access to the online service through the use of a credential associated with the user. Also, the user may have multiple user devices from which the user would like to log in to the online service. In some implementations, the cloud authenticator may enable the user to use any one of the multiple user devices to register and/or log in to an online service after enrolling only a single user device with the online service, providing convenience for the user. Furthermore, in some implementations, the cloud authenticator may not be able to use the credential of the user without the cooperation of at least one of the user devices under control of the user, providing security for the user. Thus, the present techniques offer a relatively convenient and safe system for a user to log in to online services.
Cloud authentication systems may be replacing passwords as a preferred authentication mechanism for online services, and possibly other entities. Online services may include websites and/or another form of Relying Party (RP), which may rely on some form of authentication of a user in order to allow the user to access the online service. However, some logistical challenges remain in the way of more widescale adoption of cloud authentication systems for account log in. One of the issues with cloud authentication systems is account recovery, for which a current recommendation is to enroll multiple authenticators. Users may wish to enroll multiple authenticators, as the user may wish to use different user devices (with different attached authenticators) to access various online services. However, under the current model, users may need to enroll each of their “N” authenticators (e.g., user devices) with each of “M” online services (e.g., websites), for a total of “N*M” enrollments. Thus, the amount of enrollments may easily grow to an unacceptable user burden for common amounts of M (100+RPs) that a user engages in modern life. Additionally, in the enterprise space, an administrator may wish to create a role and then designate a number of users (or a subset of user devices of the users) as eligible authenticators for that role. In this case, the amount of associated enrollments could easily become burdensome for the administrator.
A naïve cloud authenticator may work by storing a credential of a user, then allowing each user device of the user to authenticate to the cloud authenticator. In turn, the cloud authenticator could authenticate to any given website on behalf of the user device, using the credential of the user. Such a scheme may free the user from the burden of having to repeatedly, manually log in and/or register from any of multiple user devices with user names, passwords, etc. However, unfortunately the naïve cloud authenticator scheme presents a danger to the user. Since the naïve cloud authenticator is outside the control of the user, and stores a raw credential of the user, the naïve cloud authenticator is therefore capable of logging in to a website and/or an account of the user without permission from the user. The present concepts provide a cloud authenticator that solves the potentially burdensome “N*M” (number of enrollments) problem, but also ensures that cryptographically the cloud authenticator cannot log in to an account of the user without consent and/or cooperation of the user.
In some implementations, a cloud authenticator may provide an interface via which a user device of a user may hold a first credential portion of a credential associated with the user and the cloud authenticator may hold a second credential portion of the credential associated with the user. The first credential portion and the second credential portion may be complimentary, such that together the portions may be used to authenticate to the online service. Throughout a login process for a website, the first credential portion may be retained by the user device of the user. Additionally or alternatively, the second credential portion may be retained by the cloud authenticator. Generation of the first and second credential portions may be accomplished such that none of the user device(s), the cloud authenticator, or any other device ever has possession of the complete credential. When each credential portion is retained separately by the user device and the cloud authenticator, neither the user device nor the cloud authenticator is able to log into an online service without the cooperation of the other entity. No single actor may complete the credential and/or take authentication action unilaterally, for example. Such a cloud authentication system offers improved security for a user since the cloud authenticator may not log in to a user account without permission from the user. Permission may be provided by confirming a biometric of the user, for example. Furthermore, in an instance where a user device is stolen, the user device may not be used to log in to the user account without permission from the user.
Taken one step further, the cloud authentication system may be designed such that any of multiple user devices of the user may be able to derive (or have access to) the first credential portion. Therefore, in a first instance, a user may be allowed to log in to an online service where a mobile phone (under control of the user) provides the first credential portion and the second credential portion is provided by the cloud authenticator. Additionally, the same user may be allowed to log in to the online service in a second instance, where a desktop computer (under control of the user) provides the first credential portion to be used with the second credential portion held by the cloud authenticator. Such a scheme may be referred to as a multi-party cloud authentication system, where multiple parties (e.g., the user devices and the cloud authenticator) are using “shares” (e.g., portions) of a credential associated with the user. Stated another way, a multi-party cloud authentication system may use any of several devices of a user to cooperate with a cloud authenticator to access an online service in a convenient and safe manner.
One example way to implement a first credential portion and a second credential portion in a multi-party cloud authentication system is through the use of a threshold signature. With a threshold signature (e.g., threshold signature algorithm), a private key is not held by a single entity, but instead is spread across multiple entities. Threshold signatures allow two (or more) entities to use keyshares (e.g., credential portions) to form a signature, without reconstructing a complete credential. To generate a signature, the entities (or at least some subset of the entities) among which the credential portions are distributed must cooperate to generate the signature. Therefore, a cloud authenticator using a threshold signature algorithm may form a signature to log in to a user account with the cooperation of at least one user device that is under control of the user. In some implementations, the signature may be used for an authentication procedure with an online account, such as WebAuthn. The signature formed with the threshold signature algorithm may be used to sign an assertion, registration, log on statement, etc., to log on to a website, for example. In some cases, the cooperation to form the signature may be referred to as a signing protocol. The resultant signature and/or signed assertion may be verified by any entity with a public key that coordinates with the private key. For example, the online service that the user is attempting to access may hold the coordinating public key. The online service may be able to use the public key to verify the signature created with the threshold signature algorithm.
To summarize, by sharing critical elements of an authentication procedure, the multi-party cloud authentication system allows a user to easily register and use multiple user devices, yet is resilient to loss or theft of any individual user device. The multi-party cloud authentication system may also be applied to the sharing of enterprise “roles” across multiple users. In an enterprise system, the multi-party cloud authentication system may allow an administrator to easily and safely provision and recover accounts, and other important features for enterprise workforces. As such, the multi-party cloud authentication system offers an improved interface through which users may access an online service and/or administrators may manage an enterprise workforce.
Although the examples described herein may refer to a user device and/or an intermediary device as participating in a multi-party cloud authentication system in a cloud networking environment, the techniques can generally be applied to any device or role, including an enterprise workforce scenario. Further, the techniques are generally applicable for any network of devices managed by any entity where virtual resources are provisioned. In some instances, the techniques may be performed by software-defined networking (SDN), and in other examples, various devices may be used in a system to perform the techniques described herein. The devices by which the techniques are performed herein are a matter of implementation, and the techniques described are not limited to any specific architecture or implementation.
The techniques described herein provide various improvements and efficiencies with respect to network communications. For instance, the techniques described herein may reduce the amount of computational resource use, storage, dropped data, latency, and other issues experienced in networks due to lack of network resources, overuse of network resources, issues with timing of network communications, and/or improper routing of data. By improving network communications across a network, overall performance by servers and virtual resources may be improved.
Certain implementations and embodiments of the disclosure will now be described more fully below with reference to the accompanying figures, in which various aspects are shown. However, the various aspects may be implemented in many different forms and should not be construed as limited to the implementations set forth herein. The disclosure encompasses variations of the embodiments, as described herein. Like numbers refer to like elements throughout.
The user devices 104, server devices 106, and/or intermediary devices 108 may be communicatively coupled among one another and/or to various other devices via network 102. Within the example environment 100, a user device 104, server device 106, intermediary device 108, and/or other devices may exchange communications (e.g., packets) via a network connection(s) to network 102, indicated by double arrows 110. For instance, network connections 110 may be transport control protocol (TCP) network connections or any network connection (e.g., information-centric networking (ICN)) that enable the devices to exchange packets with other devices via cloud computing network 102. The network connections 110 represent, for example, a data path between a user device 104 and an intermediary device 106. For example, the user device 104 may be a computer, laptop, mobile device, tablet, etc., while the server device 106 and/or the intermediary device 108 may be a network device 106 that is configured to provide data and/or network services to the user device 104. The server device 106 and/or intermediary device 108 may or may not be a producer, a point of generation and/or origination of the data. For instance, the data may originate elsewhere for the server device 106 and/or the intermediary device 108 to be able to provide to the user device 104. Alternatively or additionally, the data may pass through other network devices (e.g., router, switch) on a path from the server device 106 and/or the intermediary device 108 to the user device 104. It should be appreciated that the term “network connection” may also be referred to as a “network path.” The use of a cloud computing network in this example is not meant to be limiting. Other types of networks are contemplated in accordance with multi-party cloud authentication concepts.
As shown in
Following generation of the first credential portion 112 and the second credential portion 114, the communication at Step 1 may include a signing protocol between user device 104(1) and intermediary device 108. The signing protocol may include several messages that are sent between user device 104(1) and intermediary device 108. For instance, an algorithm may be used that constitutes several back-and-forth messages which generate a signature. In some examples, the algorithm may be a threshold signature algorithm. The signing protocol may be performed using the first credential portion 112(1) held by user device 104(1) and the second credential portion 114(1) held by intermediary device 108. However, the user device 104(1) may retain the first credential portion 112(1) and the intermediary device 108 may retain the second credential portion 114(1) throughout the signing protocol. Stated another way, intermediary device 108 may participate in the signing protocol without ever knowing and/or having access to plain text of the first credential portion 112. As such, the first credential portion 112 is kept “secret” from the cloud authenticator. Similarly, user device 104(1) does not have access to the second credential portion 114. Through the communication in Step 1, a signature 116A may be generated. The signature 116A may be associated with an assertion, such as an assertion related to a log on and/or other authentication action regarding the online service represented by server device 106.
At “Step 2A” of
At “Step 3” of
The multi-party cloud authentication scenario may continue in
At “Step 5” of
At “Step 6” of
In summary, in the multi-party cloud authentication scenario illustrated through
Note that the depiction of a single server device 106 (e.g., remote device) and/or a single intermediary device 108 (e.g., cloud computing device) in
Example environment 200 may include a cloud computing network 202 (e.g., network), one or more user devices 204, one or more server devices 206 (e.g., remote devices), and/or one or more intermediary devices 208 (e.g., cloud computing devices). The depiction of a single server device 206 and/or a single intermediary device 208 in
The example multi-party cloud authentication scenario illustrated in
Beginning with
As part of an enrollment protocol, Step 1 of
At “Step 2” of
At “Step 3” of
The multi-party cloud authentication scenario may continue in
In some implementations, trust in newly enrolled user devices 204 is established by the previously enrolled user devices 204, and may or may not be established by the cloud authenticator as well. Therefore, the cloud authenticator may not be able to enroll a device without the explicit consent of a user device 204 already-enrolled with that user account. Therefore, the cloud authenticator may not be able to hijack the user account, such as by enrolling its own device. Note that in some examples, a trusted third party may be permitted to enroll a “backup” device with a user account. For example, if a user loses control of their enrolled device(s), the trusted third party may be able to recover the user account. The backup device may have privileges restricted to disallow signing and/or to only allow enrolling new devices when additional requirements are met, for instance.
Referring again to the scenario in
The multi-party cloud authentication scenario may continue in
In some schemes, the credential may be selected without being wholly known to either user device 204(1) or intermediary device 208. The credential may be selected such that the credential may be formed using the first credential portion 212 and second credential portion 214. The registration protocol may also include selecting a credential identifier (ID) 226 for the online service. The credential ID 226 may be (potentially) unique relative to other credential IDs for the user account at the cloud authenticator. As a byproduct, the credential ID 226 may also be unique to the online service, such that different online services (e.g., websites) have different credential IDs 226. Furthermore, in some implementations, the credential may be formed using the first credential portion 212, second credential portion 214, and credential ID 226. In one example, the credential may be formed with the following mathematical expression:
Credential=(1st Cred.)*(2nd Cred.)*hash(Cred. ID)
where “1st Cred.” is first credential portion 212, “2nd Cred.” is second credential portion 214, and “hash(Cred. ID)” is a hash of credential ID 226. The hash may be a preexisting hash function in some cases. Note that although the credential may be conceptually formed using the above expression, the credential may not actually be reconstructed by either a user device 204 or the cloud authenticator. In this manner neither the user devices 204 nor the cloud authenticator may have access to the complete credential.
Referring again to
Signature(1st Cred.)*(2nd Cred.)*hash(Cred. ID)
where “1st Cred.” is first credential portion 212(1), “2nd Cred.” is second credential portion 214(1), and “hash(Cred. ID)” is a hash of credential ID 226D. Stated another way, a message may be signed using the complete credential that is formed with the first credential portion 212(1), second credential portion 214(1), and credential ID 226D. However, throughout any signing protocol, the first credential portion 212 may be kept “secret” from the cloud authenticator, and the second credential portion 214 may be kept secret from any user device 204. In “Step 7” of
In some examples, credential IDs 226 that have been selected for online services may be stored by the cloud authenticator. In this manner, any user device 204 of the user may be used to sign in to the online service via the user account with the cloud authenticator. A credential ID 226 may or may not be protected (e.g., encrypted) before the cloud authenticator is allowed to receive and/or store the credential ID 226. For instance, since the cloud authenticator does not have access to a first credential portion 218 that is needed to form a complete credential, the credential ID 226 may not need to be encrypted with respect to the cloud authenticator. However, in order for a user device 204 to trust a credential ID 226 stored by the cloud authenticator, a scheme may be used for the credential ID 226 to be signed by another user device 204, as illustrated in
Continuing at “Step 9” of
Signature(1st Cred.)*(2nd Cred.)*hash(Cred. ID)
where “1st Cred.” is first credential portion 212(3), “2nd Cred.” is second credential portion 214(3), and “hash(Cred. ID)” is a hash of credential ID 226D. Note that although user device 204(3) is using first credential portion 212(3) (and not first credential portion 212(1)) to produce the signature 216, the resultant signature 216 of the signing protocol in Step 9 of
Note that in
As described through
In some implementations, a multi-party cloud authentication system may be applied to an enterprise case, where a cloud authenticator account may be created not for a user, but for a “role” in the enterprise. An administrator may create a role account and then enroll all or a subset of one or more user devices in that account. The benefits of the multi-party cloud authentication system may be similarly realized in the enterprise case, including sharing an authentication credential (portion), disenrolling user devices from a role account, etc. For instance, in some examples, the administrator may be able to use the multi-party cloud authentication system to apply policy to user devices, and then may block release of a credential where a particular user device does not conform to the policy.
To summarize, the multi-party cloud authentication techniques described herein may represent a more efficient and safer method of authenticating users to an online service. The techniques may therefore improve security relative to cloud computing services, while also improving the user experience. The techniques may be relatively lightweight, featuring low computational cost and/or low bandwidth usage. Furthermore, the benefits of multi-party cloud authentication techniques may be become more pronounced as users increasingly use multiple devices to access online services, and do not wish to be hassled with cumbersome log on processes.
The implementation of the various devices and/or components described herein is a matter of choice dependent on the performance and other requirements of the computing system. Accordingly, the logical operations described herein are referred to variously as operations, structural devices, acts, or modules. These operations, structural devices, acts, and modules may be implemented in software, in firmware, in special purpose digital logic, and any combination thereof. It should also be appreciated that more or fewer operations might be performed than shown in the
At 302, method 300 may include registering, by the cloud authenticator, the first user device with a user account of a user. In some examples, registering the first user device may comprise generating a primary first credential portion retained by the first user device and a primary second credential portion retained by the cloud authenticator. The primary first credential portion and the primary second credential portion may be retained by the first user device and the cloud authenticator, respectively, throughout the generation process. In this manner, neither the first user device nor the cloud authenticator may have possession of the credential portion belonging to the other entity.
At 304, method 300 may include registering, by the cloud authenticator, the second user device with the user account of the user. In some examples, registering the second user device may comprise generating a secondary first credential portion based at least in part on the primary first credential portion and generating a secondary second credential portion based at least in part on the primary second credential portion. The method may also include participating in an enrollment protocol with the first user device to generate the secondary first credential portion.
At 306, method 300 may include receiving, at the cloud authenticator and from the first user device, a first request to authenticate the user account to an online service.
Responsive to the first request, at 308, method 300 may include generating a first signature by participating in a first signing protocol with the first user device. In some examples, the first signature may be based at least in part on the primary first credential portion, the primary second credential portion, and a credential identifier (ID) for the online service. The method may also include selecting the credential ID by participating in a registration protocol with the first user device to register with the online service. During the first signing protocol, the primary first credential portion may be retained by the first user device and the primary second credential portion may be retained by the cloud authenticator. Here again, neither the first user device nor the cloud authenticator may have possession of the credential portion belonging to the other entity during and/or throughout the first signing protocol. In some examples, the first signing protocol may be a threshold signature signing protocol.
At 310, method 300 may include providing, by the cloud authenticator, the first signature to a remote device associated with the online service to authenticate the user account to the online service. Providing the first signature may include the cloud authenticator sending the first signature to the online service. Stated another way, the cloud authenticator may log on to the online service on behalf of the user, using the first signature. In other examples, providing the first signature may include the cloud authenticator facilitating the first user device sending the first signature to the online service. For instance, the cloud authenticator may participate in the signing protocol, from which the first user device may receive the first signature and log in to the online service using the first signature.
At 312, method 300 may include receiving, at the cloud authenticator and from the second user device, a second request to authenticate the user account to the online service.
Responsive to the second request, at 314, method 300 may include generating a second signature by participating in a second signing protocol between the cloud authenticator and the second user device. In some examples, the second signature may be based at least in part on the secondary first credential portion, the secondary second credential portion, and the credential ID for the online service. The first signature may match the second signature, either exactly or effectively for authentication purposes, in some cases. In some examples, the method may include receiving a signed copy of the credential ID from the first user device at the cloud authenticator. The second signature may be generated in the second signing protocol using the signed copy of the credential ID. Once again, the secondary first credential portion may be retained by the second user device and the secondary second credential portion may be retained by the cloud authenticator. In some implementations, the first user device and the second user device may (potentially) never have access to plain text of any second credential portion. Further, the cloud authenticator may (potentially) never have access to plain text of any first credential portion. Neither entity requires knowledge of the credential portion belonging to the other entity to be able to perform multi-party cloud authentication techniques. However, the cloud authenticator may receive and/or store credential IDs for various online services, public keys of the user devices, etc.
At 402, method 400 may include communicating, by the first user device, with the cloud authenticator to generate a primary first credential portion and a primary second credential portion associated with a user account at the cloud authenticator.
At 404, method 400 may include receiving, by the first user device, the primary first credential portion. In some examples, the primary first credential portion may be retained by the first user device and the primary second credential portion may be retained by the cloud authenticator.
At 406, method 400 may include participating in a signing protocol with the cloud authenticator to generate a signature. The signature may be based at least in part on the primary first credential portion and the primary second credential portion. During the signing protocol, the primary first credential portion may be retained by the first user device and the primary second credential portion may be retained by the cloud authenticator. The signature may be used for authenticating to the online service, for instance. In some examples, the signing protocol may comprise a threshold signature signing protocol. Also, the signature may comprise a threshold signature. In some examples, the method may include selecting, by the first user device and with the cloud authenticator, a credential identifier (ID) for the online service. The signature may be based at least in part on the credential ID, in addition to the primary first credential portion and the primary second credential portion.
At 408, at least partly in response to generating the signature, method 400 may include accessing the online service by the first user device. The first user device may access the online service directly, or may access the online service indirectly via the cloud authenticator, for instance.
At 410, method 400 may include communicating, by the first user device, with the cloud authenticator and with the second user device to generate a secondary first credential portion and a secondary second credential portion associated with the user account at the cloud authenticator. In some examples, the method may include signing, by the first user device, a copy of the credential ID to create a signed credential ID. The method may further include sending the signed credential ID to the cloud authenticator in association with the user account. In instances where the second user device participates in a signing protocol with the cloud authenticator, the signed credential ID may be used during the generation of the signature. The second user device may agree to participate in the signing protocol due to the use of the signed credential ID, since the signature by the first user device on the copy of the credential ID may install trust by the second user device in the credential ID.
The computers 502 can be standard tower, rack-mount, or blade server computers configured appropriately for providing computing resources. In some examples, the computers 502 may provide computing resources 504 including data processing resources such as virtual machine (VM) instances or hardware computing systems, database clusters, computing clusters, storage clusters, data storage resources, database resources, networking resources, and others. Some of the computers 502 can also be configured to execute a resource manager 506 capable of instantiating and/or managing the computing resources. In the case of VM instances, for example, the resource manager 506 can be a hypervisor or another type of program configured to enable the execution of multiple VM instances on a single computer 502. Computers 502 in the data center 500 can also be configured to provide network services and other types of services.
In the example data center 500 shown in
In some examples, the computers 502 may each execute one or more application containers and/or virtual machines to perform techniques described herein. For instance, the containers and/or virtual machines may serve as server devices, user devices, and/or routers in the cloud computing network 102 or 202.
In some instances, the data center 500 may provide computing resources, like application containers, VM instances, and storage, on a permanent or an as-needed basis. Among other types of functionality, the computing resources provided by a cloud computing network may be utilized to implement the various services and techniques described above. The computing resources 504 provided by the cloud computing network can include various types of computing resources, such as data processing resources like application containers and VM instances, data storage resources, networking resources, data communication resources, network services, and the like.
Each type of computing resource 504 provided by the cloud computing network can be general-purpose or can be available in a number of specific configurations. For example, data processing resources can be available as physical computers or VM instances in a number of different configurations. The VM instances can be configured to execute applications, including web servers, application servers, media servers, database servers, some or all of the network services described above, and/or other types of programs. Data storage resources can include file storage devices, block storage devices, and the like. The cloud computing network can also be configured to provide other types of computing resources 504 not mentioned specifically herein.
The computing resources 504 provided by a cloud computing network may be enabled in one embodiment by one or more data centers 500 (which might be referred to herein singularly as “a data center 500” or in the plural as “the data centers 500”). The data centers 500 are facilities utilized to house and operate computer systems and associated components. The data centers 500 typically include redundant and backup power, communications, cooling, and security systems. The data centers 500 can also be located in geographically disparate locations. One illustrative embodiment for a data center 500 that can be utilized to implement the technologies disclosed herein will be described below with regards to
As shown in
The CPUs 604 perform operations by transitioning from one discrete, physical state to the next through the manipulation of switching elements that differentiate between and change these states. Switching elements generally include electronic circuits that maintain one of two binary states, such as flip-flops, and electronic circuits that provide an output state based on the logical combination of the states of one or more other switching elements, such as logic gates. These basic switching elements can be combined to create more complex logic circuits, including registers, adders-subtractors, arithmetic logic units, floating-point units, and the like.
The chipset 606 provides an interface between the CPUs 604 and the remainder of the components and devices on the baseboard 602. The chipset 606 can provide an interface to a RAM 608, used as the main memory in the computer 502. The chipset 606 can further provide an interface to a computer-readable storage medium such as a read-only memory (“ROM”) 610 or non-volatile RAM (“NVRAM”) for storing basic routines that help to startup the computer 502 and to transfer information between the various components and devices. The ROM 610 or NVRAM can also store other software components necessary for the operation of the computer 502 in accordance with the configurations described herein.
The computer 502 can operate in a networked environment using logical connections to remote computing devices and computer systems through a network, such as networks 102, 202, and/or 508. The chipset 606 can include functionality for providing network connectivity through a network interface controller (NIC) 612, such as a gigabit Ethernet adapter. The NIC 612 is capable of connecting the computer 502 to other computing devices over the network 202. For instance, in the example shown in
The computer 502 can be connected to a storage device 614 that provides non-volatile storage for the computer. The storage device 614 can store an operating system 616, programs 618, database 620, and/or other data. In some examples, database 620 may represent and/or include storage 222, 224, and/or 228, for instance. The storage device 614 can be connected to the computer 502 through a storage controller 622 connected to the chipset 606, for example. The storage device 614 can consist of one or more physical storage units. The storage controller 622 can interface with the physical storage units through a serial attached SCSI (“SAS”) interface, a serial advanced technology attachment (“SATA”) interface, a fiber channel (“FC”) interface, or other type of interface for physically connecting and transferring data between computers and physical storage units.
The computer 502 can store data on the storage device 614 by transforming the physical state of the physical storage units to reflect the information being stored. The specific transformation of physical state can depend on various factors, in different embodiments of this description. Examples of such factors can include, but are not limited to, the technology used to implement the physical storage units, whether the storage device 614 is characterized as primary or secondary storage, and the like.
For example, the computer 502 can store information to the storage device 614 by issuing instructions through the storage controller 622 to alter the magnetic characteristics of a particular location within a magnetic disk drive unit, the reflective or refractive characteristics of a particular location in an optical storage unit, or the electrical characteristics of a particular capacitor, transistor, or other discrete component in a solid-state storage unit. Other transformations of physical media are possible without departing from the scope and spirit of the present description, with the foregoing examples provided only to facilitate this description. The computer 502 can further read information from the storage device 614 by detecting the physical states or characteristics of one or more particular locations within the physical storage units.
In addition to the mass storage device 614 described above, the computer 502 can have access to other computer-readable storage media to store and retrieve information, such as policies, program modules, data structures, and/or other data. It should be appreciated by those skilled in the art that computer-readable storage media is any available media that provides for the non-transitory storage of data and that can be accessed by the computer 502. In some examples, the operations performed by the network (e.g., 102, 202, and/or 508), and or any components included therein, may be supported by one or more devices similar to computer 502. Stated otherwise, some or all of the operations performed by the network (e.g., 102, 202, and/or 508), and or any components included therein, may be performed by one or more computer devices 502 operating in a cloud-based arrangement.
By way of example, and not limitation, computer-readable storage media can include volatile and non-volatile, removable and non-removable media implemented in any method or technology. Computer-readable storage media includes, but is not limited to, RAM, ROM, erasable programmable ROM (“EPROM”), electrically-erasable programmable ROM (“EEPROM”), flash memory or other solid-state memory technology, compact disc ROM (“CD-ROM”), digital versatile disk (“DVD”), high definition DVD (“HD-DVD”), BLU-RAY, ternary content addressable memory (TCAM), and/or other optical storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium that can be used to store the desired information in a non-transitory fashion.
As mentioned briefly above, the storage device 614 can store an operating system 616 utilized to control the operation of the computer 502. According to one embodiment, the operating system comprises the LINUX operating system. According to another embodiment, the operating system comprises the WINDOWS® SERVER operating system from MICROSOFT Corporation of Redmond, Wash. According to further embodiments, the operating system can comprise the UNIX operating system or one of its variants. It should be appreciated that other operating systems can also be utilized. The storage device 614 can store other system or application programs and data utilized by the computer 502.
In one embodiment, the storage device 614 or other computer-readable storage media is encoded with computer-executable instructions which, when loaded into the computer 502, transform the computer from a general-purpose computing system into a special-purpose computer capable of implementing the embodiments described herein. These computer-executable instructions transform the computer 502 by specifying how the CPUs 604 transition between states, as described above. According to one embodiment, the computer 502 has access to computer-readable storage media storing computer-executable instructions which, when executed by the computer 502, perform the various processes described above with regards to
The computer 502 can also include one or more input/output controllers 624 for receiving and processing input from a number of input devices, such as a keyboard, a mouse, a touchpad, a touch screen, an electronic stylus, or other type of input device. Similarly, an input/output controller 624 can provide output to a display, such as a computer monitor, a flat-panel display, a digital projector, a printer, or other type of output device. It will be appreciated that the computer 502 might not include all of the components shown in
As described herein, the computer 502 may comprise one or more devices, such as intermediary device 108 or 208, user devices 104 or 204, and/or other devices. The computer 502 may include one or more hardware processors 604 (processors) configured to execute one or more stored instructions. The processor(s) 604 may comprise one or more cores. Further, the computer 502 may include one or more network interfaces configured to provide communications between the computer 502 and other devices, such as the communications described herein as being performed by intermediary device 108 or 208, user devices 104 or 204, and/or other devices. In some examples, the communications may include data, packet, assertion, signature and/or other communications, such as credential IDs 226 and/or public keys 218, and/or other information transfer, for instance. The network interfaces may include devices configured to couple to personal area networks (PANs), wired and wireless local area networks (LANs), wired and wireless wide area networks (WANs), and so forth. For example, the network interfaces may include devices compatible with Ethernet, Wi-Fi™, and so forth.
The programs 618 may comprise any type of programs or processes to perform the techniques described in this disclosure in accordance with multi-party cloud authentication techniques. For instance, the programs 618 may cause the computer 502 to perform techniques for communicating with other devices using any type of protocol or standard usable for determining connectivity. Additionally, the programs 618 may comprise instructions that cause the computer 502 to perform the specific techniques for multi-party cloud authentication.
While the invention is described with respect to the specific examples, it is to be understood that the scope of the invention is not limited to these specific examples. Since other modifications and changes varied to fit particular operating requirements and environments will be apparent to those skilled in the art, the invention is not considered limited to the example chosen for purposes of disclosure, and covers all changes and modifications which do not constitute departures from the true spirit and scope of this invention.
Although the application describes embodiments having specific structural features and/or methodological acts, it is to be understood that the claims are not necessarily limited to the specific features or acts described. Rather, the specific features and acts are merely illustrative some embodiments that fall within the scope of the claims of the application.