US-12621289-B2 - Hardware-backed password security for cloud systems

Abstract

Methods, systems, and devices for data processing are described. A server host may receive a login request that includes a clear text password for an account associated with a tenant of a multi-tenant cloud platform. The server host may retrieve an encrypted payload associated with the account. The encrypted payload may include a hash value of a user-configured password for the account and an indication of a hashing algorithm used to transform the user-configured password into the hash value. The server host may obtain a wrapped symmetric key provisioned by a symmetric key distribution service. The server host may transmit a request that includes the encrypted payload, the clear text password, and the wrapped symmetric key. The server host may receive a response that indicates whether a hash value of the clear text password from the login request corresponds to the hash value of the user-configured password.

Inventors

• Prasad Peddada

Assignees

• SALESFORCE, INC.

Dates

Publication Date

20260505

Application Date

20240129

Claims (18)

1. 1 . A method for data processing, comprising: transmitting, to a key protection component of a server host, a message including a user-configured password and a wrapped symmetric key, wherein the user-configured password is related to an account associated with a tenant of a multi-tenant cloud platform; receiving, from the key protection component and in response to the message, an encrypted payload and an initialization vector associated with the encrypted payload, wherein the encrypted payload comprises a hash value of the user-configured password for the account and an indicator of a hashing algorithm used for generation of the hash value, and wherein the encrypted payload and the initialization vector are stored in a database in association with the account, wherein the database is associated with the multi-tenant cloud platform; receiving, at the server host, a login request that includes a clear text password for the account associated with a tenant of a multi-tenant cloud platform; retrieving, from the database associated with the multi-tenant cloud platform, the encrypted payload stored in association with the account, the encrypted payload comprising a hash value of a user-configured password for the account and an indicator of a hashing algorithm used for generation of the hash value; obtaining the wrapped symmetric key provisioned by a symmetric key distribution service, wherein the symmetric key is wrapped using an asymmetric public key associated with the server host; transmitting an application programming interface (API) request comprising the encrypted payload retrieved from the database, the clear text password extracted from the login request, and the wrapped symmetric key provisioned by the symmetric key distribution service; and receiving an API response that indicates whether a hash value of the clear text password from the login request corresponds to the hash value of the user-configured password for the account.
2. 2 . The method of claim 1 , wherein the message is configured to cause the key protection component to: unwrap the symmetric key using an asymmetric private key corresponding to the asymmetric public key of the server host; transform the user-configured password into the hash value using the hashing algorithm; generate the payload comprising the hash value and the indication of the hashing algorithm; encrypt the payload using the unwrapped symmetric key and the initialization vector; and return the encrypted payload to the server host along with the initialization vector.
3. 3 . The method of claim 1 , further comprising: storing, within the database, the encrypted payload and the initialization vector in association with the account; retrieving the encrypted payload and the initialization vector from the database in response to the login request; and including the encrypted payload and the initialization vector in the API request.
4. 4 . The method of claim 1 , wherein the hashing algorithm used to transform the user-configured password into the hash value is selected by the key protection component.
5. 5 . The method of claim 1 , wherein the wrapped symmetric key is provisioned by the symmetric key distribution service that comprises at least one of a hardware security module (HSM), or a master host, or a quorum-based key sharing service.
6. 6 . The method of claim 1 , wherein the API request is configured to cause the key protection component of the server host to: unwrap the symmetric key using an asymmetric private key corresponding to the asymmetric public key of the server host; decrypt the payload using the unwrapped symmetric key and the initialization vector associated with the payload; generate a hash value of the clear text password from the login request using the hashing algorithm indicated by the decrypted payload; and compare the hash value of the clear text password to the hash value of the user-configured password indicated by the decrypted payload.
7. 7 . The method of claim 1 , wherein obtaining the wrapped symmetric key comprises: transmitting, to the symmetric key distribution service associated with the multi-tenant cloud platform, a first message indicating the asymmetric public key of the server host and the symmetric key that is wrapped using an intermediate key provisioned by the symmetric key distribution service, wherein the asymmetric public key of the server host is included in a certificate of the server host; and receiving, from the symmetric key distribution service, a second message indicating the symmetric key that is wrapped using the asymmetric public key associated with the server host.
8. 8 . The method of claim 7 , wherein the first message is configured to cause the symmetric key distribution service to: unwrap the symmetric key using the intermediate key provisioned by the symmetric key distribution service; rewrap the symmetric key using the asymmetric public key of the server host; and return the rewrapped symmetric key to the server host via the second message.
9. 9 . The method of claim 7 , further comprising: storing, within the database, the symmetric key that is wrapped using the intermediate key provisioned by the symmetric key distribution service.
10. 10 . The method of claim 1 , wherein obtaining the symmetric key comprises: retrieving, from the database, the symmetric key that is wrapped using the asymmetric public key associated with the server host, wherein the database comprises two or more instances of the symmetric key that are wrapped using respective asymmetric public keys associated with other server hosts in a sub-system of the multi-tenant cloud platform that includes the server host and the database.
11. 11 . The method of claim 1 , wherein the user-configured password is locally hashed and encrypted by the key protection component of the server host.
12. 12 . The method of claim 1 , wherein the hashing algorithm comprises a 256-bit secure hashing algorithm (SHA-256), a 384-bit secure hashing algorithm (SHA-384), a 512-bit secure hashing algorithm (SHA-512), or a Keccak algorithm.
13. 13 . The method of claim 1 , wherein the API response comprises a Boolean to indicate whether a hash value of the clear text password from the login request corresponds to the hash value of the user-configured password for the account.
14. 14 . The method of claim 1 , wherein the symmetric key is provisioned for a sub-system of the multi-tenant cloud platform that includes the server host and the database.
15. 15 . An apparatus for data processing, comprising: at least one processor; at least one memory coupled with the at least one processor; and instructions stored in the at least one memory and executable by the at least one processor to cause the apparatus to: transmit, to a key protection component of a server host, a message including a user-configured password and a wrapped symmetric key, wherein the user-configured password is related to an account associated with a tenant of a multi-tenant cloud platform; receive, from the key protection component and in response to the message, an encrypted payload and an initialization vector associated with the encrypted payload, wherein the encrypted payload comprises a hash value of the user-configured password for the account and an indicator of a hashing algorithm used for generation of the hash value, and wherein the encrypted payload and the initialization vector are stored in a database in association with the account, wherein the database is associated with the multi-tenant cloud platform; receive, at the server host, a login request that includes a clear text password for the account associated with a tenant of a multi-tenant cloud platform; retrieve, from the database associated with the multi-tenant cloud platform, the encrypted payload stored in association with the account, the encrypted payload comprising a hash value of a user-configured password for the account and an indicator of a hashing algorithm used for generation of the hash value; obtain the wrapped symmetric key provisioned by a symmetric key distribution service, wherein the symmetric key is wrapped using an asymmetric public key associated with the server host; transmit an application programming interface (API) request that includes the encrypted payload retrieved from the database, the clear text password extracted from the login request, and the wrapped symmetric key provisioned by the symmetric key distribution service; and receive an API response that indicates whether a hash value of the clear text password from the login request corresponds to the hash value of the user-configured password for the account.
16. 16 . The apparatus of claim 15 , wherein the message is configured to cause the key protection component to: unwrap the symmetric key using an asymmetric private key corresponding to the asymmetric public key of the server host; transform the user-configured password into the hash value using the hashing algorithm; generate the payload comprising the hash value and the indication of the hashing algorithm; encrypt the payload using the unwrapped symmetric key and the initialization vector; and return the encrypted payload to the server host along with the initialization vector.
17. 17 . The apparatus of claim 15 , wherein the instructions are further executable by the at least one processor to cause the apparatus to: store, within the database, the encrypted payload and the initialization vector in association with the account; retrieve the encrypted payload and the initialization vector from the database in response to the login request; and include the encrypted payload and the initialization vector in the API request.
18. 18 . A non-transitory computer-readable medium storing code for data processing, the code comprising instructions executable by at least one processor to: transmit, to a key protection component of a server host, a message including a user-configured password and a wrapped symmetric key, wherein the user-configured password is related to an account associated with a tenant of a multi-tenant cloud platform; receive, from the key protection component and in response to the message, an encrypted payload and an initialization vector associated with the encrypted payload, wherein the encrypted payload comprises a hash value of the user-configured password for the account and an indicator of a hashing algorithm used for generation of the hash value, and wherein the encrypted payload and the initialization vector are stored in a database in association with the account, wherein the database is associated with the multi-tenant cloud platform; receive, at the server host, a login request that includes a clear text password for the account associated with a tenant of a multi-tenant cloud platform; retrieve, from the database associated with the multi-tenant cloud platform, the encrypted payload stored in association with the account, the encrypted payload comprising a hash value of a user-configured password for the account and an indicator of a hashing algorithm used for generation of the hash value; obtain the wrapped symmetric key provisioned by a symmetric key distribution service, wherein the symmetric key is wrapped using an asymmetric public key associated with the server host; transmit an application programming interface (API) request that includes the encrypted payload retrieved from the database, the clear text password extracted from the login request, and the wrapped symmetric key provisioned by the symmetric key distribution service; and receive an API response that indicates whether a hash value of the clear text password from the login request corresponds to the hash value of the user-configured password for the account.

Description

CROSS REFERENCE The present Application for Patent claims priority to and the benefit of U.S. Provisional Application No. 63/521,562 by Peddada et al., entitled “HARDWARE-BACKED PASSWORD SECURITY FOR CLOUD SYSTEMS,” filed Jun. 16, 2023 and U.S. Provisional Application No. 63/523,911 by Peddada et al., entitled “HARDWARE-BACKED PASSWORD SECURITY FOR CLOUD SYSTEMS,” filed Jun. 28, 2023 each of which are assigned to the assignee hereof, and are expressly incorporated by reference in their entirety herein. FIELD OF TECHNOLOGY The present disclosure relates generally to database systems and data processing, and more specifically to hardware-backed password security for cloud systems. BACKGROUND A cloud platform (i.e., a computing platform for cloud computing) may be employed by multiple users to store, manage, and process data using a shared network of remote servers. Users may develop applications on the cloud platform to handle the storage, management, and processing of data. In some cases, the cloud platform may utilize a multi-tenant database system. Users may access the cloud platform using various user devices (e.g., desktop computers, laptops, smartphones, tablets, or other computing systems, etc.). In one example, the cloud platform may support customer relationship management (CRM) solutions. This may include support for sales, service, marketing, community, analytics, applications, and the Internet of Things. A user may utilize the cloud platform to help manage contacts of the user. For example, managing contacts of the user may include analyzing data, storing and preparing communications, and tracking opportunities and sales. A cloud platform may use hashing techniques to securely store and manage account information (such as passwords). However, as password cracking schemes improve and security standards evolve, keeping all sensitive information protected and up-to-date may be time-consuming and computationally expensive. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 illustrates an example of a computing system that supports hardware-backed password security for cloud systems in accordance with aspects of the present disclosure. FIGS. 2A, 2B, and 2C show examples of computing systems that support hardware-backed password security for cloud systems in accordance with aspects of the present disclosure. FIGS. 3A, 3B, and 3C show examples of process flows that support hardware-backed password security for cloud systems in accordance with aspects of the present disclosure. FIG. 4 shows a block diagram of an apparatus that supports hardware-backed password security for cloud systems in accordance with aspects of the present disclosure. FIG. 5 shows a block diagram of a password encryption manager that supports hardware-backed password security for cloud systems in accordance with aspects of the present disclosure. FIG. 6 shows a diagram of a system including a device that supports hardware-backed password security for cloud systems in accordance with aspects of the present disclosure. FIG. 7 shows a flowchart illustrating methods that support hardware-backed password security for cloud systems in accordance with aspects of the present disclosure. DETAILED DESCRIPTION A multi-tenant cloud system may store and manage login credentials (such as usernames and passwords) for a large number of users. To ensure that sensitive account information (such as user configured passwords) are securely stored and protected, the multi-tenant cloud system may use cryptographic hashing, which involves the use of a mathematical function (also referred to as a hash function or a hashing algorithm) that takes an input (i.e., a clear text password) and produces a fixed-size output, such as a string of bytes. The purpose of password hashing is to prevent plain text passwords (equivalently referred to as clear text passwords) from being stored or transmitted within the multi-tenant cloud system, since plain text passwords are vulnerable to theft or misuse if compromised. Instead, the password may be transformed into a hash value, which is typically a fixed-length string of characters that is unique to the password input. The same password input will always produce the same hash value, but it is computationally infeasible to reverse the process and obtain the original password from the resulting hash value. Storing hash values (instead of the plain text passwords themselves) in a database may improve the overall security of the database, as malicious actors (i.e., attackers) may be unable to access or extract plain text passwords from the database in the event of a data breach. However, if the database switches from one hashing algorithm/scheme to another, updating all existing hash values (without knowing the associated plain text passwords) may be computationally expensive, error-prone, and may leave the database susceptible to security breaches and/or denial of service (DOS) attacks. The techniques described herein provide for using