Search

US-12627651-B2 - Secure password less critical computing infrastructure access communication network protocol

US12627651B2US 12627651 B2US12627651 B2US 12627651B2US-12627651-B2

Abstract

Systems, computer program products, and methods are described herein for a password less service identification protocol (PLSI). The PLSI protocol is a protocol and procedures that allow access to the full security layer of the critical computing infrastructure for complete secure access. There are four processes associated with the PLSI protocol including access initiation, PLSI service identification generation, PLSI handshake process, and PLSI service identification destruction. The secure password less critical computing infrastructure access communication network protocol can be used to utilize secure connection devices, to access critical production servers or databases where in the required security and compliance to segregation of duty based on entitlement, to establish a secure connection between two or more autonomous devices initiating, to establish secure connection on distributed cloud infrastructure, and/or to access node in block chain network to process the transaction.

Inventors

  • Maneesh Kumar Sethia
  • Shailendra Singh
  • Vasantha Lakshmi Meenakshi Sundararajan
  • Gowri Sundar Suriyanarayanan

Assignees

  • BANK OF AMERICA CORPORATION

Dates

Publication Date
20260512
Application Date
20240301

Claims (20)

  1. 1 . A system for secure password less critical computing infrastructure access communication network protocol, the system comprising: a communication network comprising a plurality of end-point devices; at least non-transitory storage device; a communication device; and a processing device operatively coupled to the at least one non-transitory storage device and the communication device, wherein the processing device is configured to execute the computer-readable program code to: receive, from an end-point device of the plurality of end-point devices, a request for critical computing infrastructure access using password less service identification (PLSI) protocol from a user, wherein the access request comprises a client identification associated with the end-point device and a client Internet Protocol (IP) address; validate the request for access based on at least an access duration associated with request, wherein validating the request for access comprises determining a match between the client IP address and the critical computing infrastructure; in response to successful validation of the request for access, generate a PLSI service identification for the user from end-point device, wherein generating the PLSI service identification further comprises: generating digest data associated with the end-point device comprising a database layer, prior application changes, and prior user input associated with the end-point device; and selecting a random portion of the digest data associated with the end-point device to add to the PLSI service identification, such that the PLSI service identification is unique to the request for access; provide the PLSI service identification to the user, wherein the PLSI service identification comprises a tag with access request information, the client identification, the generated digest data, and the access duration; in response to detecting the user's utilization of the PLSI service identification to access the critical computing infrastructure, perform a PLSI handshake protocol for validating access to the critical computing infrastructure; generate, upon validation of the PLSI service identification, a new encrypted connection for the user to use the end-point device to access the critical computing infrastructure; destruct the PLSI service identification upon detection of a logout of the user, completion of the new encrypted connection or upon a completion of a pre-determined amount of time, such that the PLSI service identification is incompatible with a subsequent validation; and prevent user access to the critical computing infrastructure outside of the request for access.
  2. 2 . The system of claim 1 , wherein generating the PLSI service identification for the user from the end-point device further comprises: transmitting an access request number, the client identification, and the access duration to a service identification management server; generating the digest data using a customizable digest generator; tagging access request information, the client identification, the generated digest data, and the access duration to the PLSI service identification; and transmit the access request information to the end-point device of the user.
  3. 3 . The system of claim 1 , wherein the processing device is further configured to execute the computer-readable program code to allow the user to access the critical computing infrastructure via the new encrypted connection.
  4. 4 . The system of claim 1 , wherein generating the new encrypted connection for the user to use the end-point device to access the critical computing infrastructure further comprises: encrypting all data and commands that are executed via the new encrypted connection with the generated digest data; and monitoring response operations taking place during the access duration by the user.
  5. 5 . The system of claim 1 , wherein the PLSI handshake protocol further comprises: transmitting the PLSI service identification to a service identification management server to decrypt the PLSI service identification using the generated digest data; and validating the PLSI service identification and extracting data using the generated digest data.
  6. 6 . The system of claim 1 , wherein the request for critical computing infrastructure access is a request from the user associated with an entity and the request is for access to a database or server to perform maintenance or upgrading during a predetermined time period.
  7. 7 . The system of claim 1 , wherein the request for critical computing infrastructure access further comprises information on a server to be accessed, what is being performed on the critical computing infrastructure, user information, and the client machine information associated with the access request.
  8. 8 . The system of claim 1 , wherein transmitting the access request information to the end-point device of the user requires user input of PLSI<Unique Server ID>Login.
  9. 9 . The system of claim 1 , wherein the secure password less critical computing infrastructure access communication network protocol provides limited access to a full security layer of the critical computing infrastructure and creates a secure connection to: (1) independent internet-of-things (IOT) devices, (2) establish a secure connection between two or more autonomous IOT devices initiating, (3) establish secure connection on distributed cloud infrastructure, and/or (4) access node in block chain network to process the transaction.
  10. 10 . A computer program product for secure password less critical computing infrastructure access communication network protocol, the computer program product comprising at least one non-transitory computer-readable medium having computer-readable program code portions embodied therein, the computer-readable program code portions comprising: an executable portion configured to receive, from an end-point device of the plurality of end-point devices, a request for critical computing infrastructure access using password less service identification (PLSI) protocol from a user, wherein the access request comprises a client identification associated with the end-point device and a client Internet Protocol (IP) address; an executable portion configured to validate the request for access based on at least an access duration associated with request, wherein validating the request for access comprises determining a match between the client IP address and the critical computing infrastructure; an executable portion configured to, in response to successful validation of the request for access, generate a PLSI service identification for the user from end-point device, wherein generating the PLSI service identification further comprises: generating digest data associated with the end-point device comprising a database layer, prior application changes, and prior user input associated with the end-point device; and selecting a random portion of the digest data associated with the end-point device to add to the PLSI service identification, such that the PLSI service identification is unique to the request for access; an executable portion configured to provide the PLSI service identification to the user, wherein the PLSI service identification comprises a tag with access request information, the client identification, the generated digest data, and the access duration; an executable portion configured to, in response to detecting the user's utilization of the PLSI service identification to access the critical computing infrastructure, perform a PLSI handshake protocol for validating access to the critical computing infrastructure; an executable portion configured to generate, upon validation of the PLSI service identification, a new encrypted connection for the user to use the end-point device to access the critical computing infrastructure; an executable portion configured to destruct the PLSI service identification upon detection of a logout of the user, completion of the new encrypted connection or upon a completion of a pre-determined amount of time, such that the PLSI service identification is incompatible with a subsequent validation; and an executable portion configured to prevent user access to the critical computing infrastructure outside of the request for access.
  11. 11 . The computer program product of claim 10 , wherein generating the PLSI service identification for the user from the end-point device further comprises: transmitting an access request number, the client identification, and the access duration to a service identification management server; generating the digest data using a customizable digest generator; tagging access request information, the client identification, the generated digest data, and the access duration to the PLSI service identification; and transmit the access request information to the end-point device of the user.
  12. 12 . The computer program product of claim 10 , wherein the computer-readable program code further comprises an executable portion configured to allow the user to access the critical computing infrastructure via the new encrypted connection.
  13. 13 . The computer program product of claim 10 , wherein generating the new encrypted connection for the user to use the end-point device to access the critical computing infrastructure further comprises; encrypting all data and commands that are executed via the new encrypted connection with the generated digest data; and monitoring response operations taking place during the access duration by the user.
  14. 14 . The computer program product of claim 10 , wherein the PLSI handshake protocol further comprises: transmitting the PLSI service identification to a service identification management server to decrypt the PLSI service identification using the generated digest data; and validating the PLSI service identification and extracting data using the generated digest.
  15. 15 . The computer program product of claim 10 , wherein the request for critical computing infrastructure access is a request from the user associated with an entity and the request is for access to a database or server to perform maintenance or upgrading during a predetermined time period.
  16. 16 . The computer program product of claim 10 , wherein the request for critical computing infrastructure access further comprises information on a server to be accessed, what is being performed on the critical computing infrastructure, user information, and the client machine information associated with the access request.
  17. 17 . A method for secure password less critical computing infrastructure access communication network protocol, the method comprising: receiving a request, from an end-point device of the plurality of end-point devices, for critical computing infrastructure access using password less service identification (PLSI) protocol from a user, wherein the access request comprises a client identification associated with the end-point device and a client Internet Protocol (IP) address; validating the request for access based on at least an access duration associated with request, wherein validating the request for access comprises determining a match between the client IP address and the critical computing infrastructure; in response to successful validation of the request for access, generating a PLSI service identification for the user from end-point device, wherein generating the PLSI service identification further comprises: generating digest data associated with the end-point device comprising a database layer, prior application changes, and prior user input associated with the end-point device; and selecting a random portion of the digest data associated with the end-point device to add to the PLSI service identification, such that the PLSI service identification is unique to the request for access; providing the PLSI service identification to the user, wherein the PLSI service identification comprises a tag with access request information, the client identification, the generated digest data, and the access duration; in response to detecting the user's utilization of the PLSI service identification to access the critical computing infrastructure, performing a PLSI handshake protocol for validating access to the critical computing infrastructure; generating, upon validation of the PLSI service identification, a new encrypted connection for the user to use the end-point device to access the critical computing infrastructure; destructing the PLSI service identification upon detection of a logout of the user, completion of the new encrypted connection or upon a completion of a pre-determined amount of time, such that the PLSI service identification is incompatible with a subsequent validation; and preventing user access to the critical computing infrastructure outside of the request for access.
  18. 18 . The method of claim 17 , wherein generating the PLSI service identification for the user from the end-point device further comprises: transmitting an access request number, the client identification, and the access duration to a service identification management server; generating the digest data using a customizable digest generator; tagging access request information, the client identification, the generated digest data, and the access duration to the PLSI service identification; and transmit the access request information to the end-point device of the user.
  19. 19 . The method of claim 17 , wherein the method further comprises allowing the user to access the critical computing infrastructure via the new encrypted connection.
  20. 20 . The method of claim 17 , wherein generating the new encrypted connection for the user to use the end-point device to access the critical computing infrastructure further comprises; encrypting all data and commands that are executed via the new encrypted connection with the generated digest data; and monitoring response operations taking place during the access duration by the user.

Description

BACKGROUND With advancements in technology and continued growth of network infrastructures required for entity management, it is critical to protect access to critical computing infrastructures. Currently, these critical computing infrastructures are accessed by using a service identification and a randomly generated password. However, a need exists for a secure password less critical computing infrastructure access communication network protocol. SUMMARY The following presents a simplified summary of one or more embodiments of the present invention, in order to provide a basic understanding of such embodiments. This summary is not an extensive overview of all contemplated embodiments and is intended to neither identify key or critical elements of all embodiments nor delineate the scope of any or all embodiments. Its sole purpose is to present some concepts of one or more embodiments of the present invention in a simplified form as a prelude to the more detailed description that is presented later. Entity users requiring infrastructure access are typically required to input a service identification with a password to gain infrastructure access. The password is usually generated based on a password generation mechanism. However, this method leaves entity infrastructures vulnerable to misappropriation and bad actor access if the actor understands the pattern of passwords generated by a generation mechanism. Even though the passwords are generated randomly, when a login attempt occurs the system uses password authentication protocol that directly sends the generated password in data packets for server authentication. This transmission of data packets may be vulnerable for third party access and misappropriation. Furthermore, when third party password generation mechanisms are used, those third parties may obtain information about server IP and login information for the entity computing infrastructure that may also be vulnerable. In light of this, using the third-party tools need to be constantly monitored by the entity to avoid any data leakage, which adds complexity, computing power, and expenses in protecting critical computing infrastructure access. Embodiments of the invention relate to systems, methods, and computer program products for secure password less critical computing infrastructure access communication network protocol, the invention comprising: receiving a request for critical computing infrastructure access using password less service identification (PLSI) protocol; generating a PLSI service identification for a user from a client device; providing the PLSI service identification to the user, wherein the PLSI service identification comprises a tag with access request information, client identification, a generated digest, and access duration; performing a PLSI handshake upon user input using the PLSI service identification; upon validation of the PLSI service identification, generating a new encrypted connection for the user to use the client device to access the critical computing infrastructure; and destructing the PLSI server identification upon completion of the new encrypted connection or upon a completion of a pre-determined amount of time. In some embodiments, generating the PLSI service identification for the user from the client device further comprises: transmitting an access request number, an official client identification, and an access duration window to a service identification management server; generating a digest using a customizable digest generator based on any random service identification data previously used; tagging access request information, client identification, the generated digest, and access duration to the PLSI service identification; and transmit the access request information to the client device of the user. In some embodiments, the customizable digest generator reviews a database layer, reviews previous application changes, reviews user pervious application inputs, and reviews any client identification information to generate a digest from randomly selected data from the reviews. In some embodiments, generating the new encrypted connection for the user to use the client device to access the critical computing infrastructure further comprises: encrypting all data and commends that are executed via the new encrypted connection with a generated digest; and monitoring response operations taking place during the access window by the user. In some embodiments, the PLSI handshake further comprises: transmitting the PLSI service identification to a service identification management server to decrypt the PLSI service identification using the generated digest and the PLSI service identification; and validating the PLSI service identification and extracting data using the generated digest. In some embodiments, the request for critical computing infrastructure access is a request from a user or client associated with an entity and the request is for access to a database