Search

US-20260128863-A1 - AGENTLESS SINGLE SIGN-ON TECHNIQUES

US20260128863A1US 20260128863 A1US20260128863 A1US 20260128863A1US-20260128863-A1

Abstract

Described herein are methods, systems, and computer-readable storage media for using a network identity. Techniques may include obtaining and encrypting a first data element using an encryption key and storing the encrypted first data element mapped to a network identity. Techniques may further include receiving a request from the network identity to perform an action on a resource and authenticating the network identity using an existing protocol, decrypting the first data element using a second data element calculated based on standard fields of the existing protocol, and enabling the action on the resource using the first data element.

Inventors

  • Tomer DAYAN
  • Yaron Nisimov

Assignees

  • CYBERARK SOFTWARE LTD.

Dates

Publication Date
20260507
Application Date
20250929

Claims (20)

  1. 1 - 22 . (canceled)
  2. 23 . A non-transitory computer readable medium including instructions that, when executed by at least one processor, cause the at least one processor to perform operations when using a network identity, the operations comprising: obtaining a first data element; encrypting the first data element; storing the encrypted first data element, wherein the encrypted first data element is mapped to a network identity; receiving a request from the network identity to perform an action on a resource; authenticating the network identity; decrypting the first data element, based on a determination that a trigger event associated with the authentication has occurred, wherein the trigger event is configured using a configuration setting stored in association with the action provided in the request; and enabling the action on the resource using the first data element.
  3. 24 . The non-transitory computer readable medium of claim 23 , wherein the first data element is generated by an authentication engine based on data sent by the network identity.
  4. 25 . The non-transitory computer readable medium of claim 23 , wherein the first data element comprises a credential required to access the resource.
  5. 26 . The non-transitory computer readable medium of claim 23 , wherein the encrypted first data element is stored in a memory location that is inaccessible to the network identity until authentication is complete.
  6. 27 . The non-transitory computer readable medium of claim 23 , wherein encrypting the first data element comprises: encrypting the first data element using a data key; and encrypting the data key using an encryption key received from a third-party.
  7. 28 . The non-transitory computer readable medium of claim 23 , wherein the network identity is associated with a data structure to map to at least one of a data element or a data key.
  8. 29 . The non-transitory computer readable medium of claim 23 , wherein the resource is distinct from the network identity.
  9. 30 . The non-transitory computer readable medium of claim 23 , wherein the request includes details of a type of action and timing to perform the action.
  10. 31 . The non-transitory computer readable medium of claim 23 , wherein the request is transmitted using a communication protocol data packet.
  11. 32 . The non-transitory computer readable medium of claim 23 , wherein authenticating the network identity includes using post-quantum public key cryptography.
  12. 33 . The non-transitory computer readable medium of claim 23 , wherein the network identity is authenticated using an existing protocol, and wherein the authentication is independent of the action and the resource.
  13. 34 . The non-transitory computer readable medium of claim 23 , wherein authenticating the network identity includes verifying a license of the network identity.
  14. 35 . The non-transitory computer readable medium of claim 23 , wherein the decrypted first data element cannot be calculated by the network identity.
  15. 36 . The non-transitory computer readable medium of claim 23 , wherein the configuration setting includes a time period for recurring actions at a fixed period, regular intervals, or a dynamic period based on a trigger event.
  16. 37 . The non-transitory computer readable medium of claim 36 , wherein the trigger event comprises a port mapping update.
  17. 38 . The non-transitory computer readable medium of claim 23 , wherein enabling the action comprises: determining the action based on the first data element; and enabling the determined action.
  18. 39 . The non-transitory computer readable medium of claim 23 , wherein enabling the action includes executing software code related to the action.
  19. 40 . The non-transitory computer readable medium of claim 23 , wherein decrypting the first data element includes using a second data element calculated based on standard fields of an existing protocol.
  20. 41 . The non-transitory computer readable medium of claim 40 , wherein the second data element comprises a decrypted version of the first data element or a token to authenticate the network identity.

Description

TECHNICAL FIELD This disclosure is related to agentless single sign-on techniques for network identities to access various types of resources. In some embodiments, for example, this disclosure relates to systems and methods for generating and storing data required to automatically perform actions with single sign-on when network identities access network resources. BACKGROUND Network identities may include users and computing devices connecting to various resources needing direct access to the resources, or a gateway to such resources. Security vulnerabilities may arise, however, when an identity attempts to impersonate a trusted identity on behalf of a network identity to obtain access to resources. In some situations, for example, network identities can attempt to obtain access to resources using techniques such as port forwarding. Such impersonation techniques result in a single point of failure in a network. These vulnerabilities are magnified when a compromised gateway obtains the ability to impersonate network identities. This creates a high-risk scenario where an attacker can impersonate any user or device and access any resource. Port forwarding techniques do not necessarily cause a single point of failure but do need a setup to forward data for each user or device from an internal port of an execution environment to an external port on a resource. Port forwarding techniques may also require tracking all mappings between internal and external ports. Further, impersonation and port forwarding techniques are limited to accessing trusted resources but cannot perform additional actions, for example logging certain activities or files on a resource. According to the techniques described herein, secure access to resources over a network by network identities can be achieved via a gateway utilizing data packets of existing communication protocols to include additional information related to actions to perform on trusted resources, including authentication. Further, such additional information shared between network identities and a gateway can be secured using encryption technologies. Thus, in view of these types of network vulnerabilities, there is a need for technological solutions to manage network identities'access to resources that are secure, do not require a complex setup, or expose a single point of failure. Such solutions will advantageously, as described herein, help avoid high-risk single points of failure, limited port forwarding functionality, or the cost of customization of remote access protocols. Furthermore, there are technological needs to have simple techniques, as discussed below, to access resources that both allow various actions to be performed on resources and do not require any complex customization. Also, such solutions should be easily adaptable to include new communication protocols, new network identities, and new resources. Further technical improvements are described in the example embodiments below. SUMMARY Certain embodiments of the present disclosure relate to a non-transitory computer readable medium including instructions that are executable by at least one processor to perform operations when using a network identity. The operations may include obtaining a first data element, encrypting the first data element using an encryption key, storing the encrypted first data element, wherein the encrypted first data element is mapped to a network identity, receiving a request from the network identity to perform an action on a resource, authenticating the network identity using an existing protocol, decrypting the first data element using a second data element calculated based on standard fields of the existing protocol, and enabling the action on the resource using the first data element. According to some disclosed embodiments, encrypting the first data element using the encryption key further comprises encrypting the first data element using a data key, and encrypting the data key using the encryption key. According to some disclosed embodiments, storing the encrypted first data element includes storing the encrypted first data element and the encrypted data key. According to some disclosed embodiments, the encrypted first data element is mapped to the network identity, wherein the mapping includes mapping the stored encrypted first data element and the encrypted data key to the network identity. According to some disclosed embodiments, decrypting the first data element of the network identity occurs as part of an authentication of the network identity. According to some disclosed embodiments, the decrypted first data element cannot be calculated by the network identity. According to some disclosed embodiments, the operations may further comprise calculating the second data element by the network identity. According to some disclosed embodiments, enabling the action may further comprise determining the action based on first data element, and enabling the determined action. Ac