Abstract: The disclosed technology for a hardware system to access a secure backend system uses non-volatile memory to hold encrypted secrets, volatile memory to hold decrypted secrets ready for use, a keys-for-all (K4A) server, and app servers running K4A clients. To access the backend system in production, each app server uses a decrypted secret and a certificate that identifies the app server and certifies its role and physical and logical location. At initialization of the app server, a K4A client is instantiated that launches and tracks processes, running on the app server, that are authorized to request decryption services. The K4A client responds to a decryption request from an authorized process, determined based on tracking of processes launched, by requesting decryption by a K4A server, using the certificate, and returns to the process, in volatile memory, a decrypted secret or a reference to the decrypted secret, decrypted by the K4A server.
Type:
Grant
Filed:
June 29, 2017
Date of Patent:
August 18, 2020
Assignee:
salesforce.com, inc.
Inventors:
Prasad Peddada, Ryan Guest, Jonathan Brossard, Travis Emmert
Abstract: Various techniques are provided for verifying the authenticity of software applications. Such techniques are particularly useful for verifying the authenticity of software applications used in online transactions involving users, payment service providers, and/or merchants. In one example, a set of application identifiers associated with a plurality of authenticated software applications are maintained and a verification request is received comprising an application identifier associated with an unverified software application. A token is generated in response to the verification request if the application identifier is in the set of application identifiers. The generated token is passed to the unverified software application. A user token is received and processed to determine whether the unverified software application is one of the authenticated software applications. A verification request is sent based on the processing. Additional methods and systems are also provided.