Password-based generation and management of secret cryptographic keys

US 10,057,060 B2
Filed: 08/18/2017
Issued: 08/21/2018
Est. Priority Date: 08/26/2014
Status: Active Grant

First Claim

Patent Images

1. A user computer, comprising:

a memory having computer readable program instructions;

a processor, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the user computer to perform operations comprising;

communicating by the user computer with a server via a network to generate a secret cryptographic key of the user computer,the server storing a secret server value and a check value which encodes a secret user value of the user computer and a user password,the communicating comprising;

encoding, in response to input via the user interface of an input password, the secret user value and the input password to produce a first value corresponding to the check value, and to communicate the first value to the server via the communications interface;

generating,in response to receiving from the server a second value produced by encoding the first value and the secret server value when the first value and the check value are compared to determine that the input password equals the user password,the secret cryptographic key by encoding the second value, the input password and the secret user value;

and performing, using the secret cryptographic key, a cryptographic operation on data.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A user computer generates a secret cryptographic key through communication with a server. A secret user value is provided at the user computer. A secret server value is provided at the server with a check value which encodes the secret user value and a user password. In response to input of an input password, the user computer encodes the secret user value and the input password to produce a first value corresponding to said check value, and communicates the first value to the server. The server compares the first value and check value to check whether the input password equals the user password. If so, the server encodes the first value and secret server value to produce a second value and communicates the second value to the user computer. The user computer generates the secret cryptographic key by encoding the second value, the input password and the secret user value.

Citations

20 Claims

1. A user computer, comprising:
- a memory having computer readable program instructions;
  
  a processor, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the user computer to perform operations comprising;
  
  communicating by the user computer with a server via a network to generate a secret cryptographic key of the user computer,the server storing a secret server value and a check value which encodes a secret user value of the user computer and a user password,the communicating comprising;
  
  encoding, in response to input via the user interface of an input password, the secret user value and the input password to produce a first value corresponding to the check value, and to communicate the first value to the server via the communications interface;
  
  generating,in response to receiving from the server a second value produced by encoding the first value and the secret server value when the first value and the check value are compared to determine that the input password equals the user password,the secret cryptographic key by encoding the second value, the input password and the secret user value;
  
  and performing, using the secret cryptographic key, a cryptographic operation on data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The user computer of claim 1, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the user computer to perform deleting the input password, the first value, the second value and the secret cryptographic key after performing the cryptographic operation on the data.
  - 3. The user computer of claim 2, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the user computer to perform operations comprising:
    - regenerating, after deleting, the input password, the first value, the second value and the secret cryptographic key, the regenerating using the encoding, the secret user value and the input password to produce a first value corresponding to the check value, communicating the first value to the server via the communications interface, and the generating, in response to communication by the server of a second value produced by encoding the first value and the secret server value, the secret cryptographic key by encoding the second value, the input password and the secret user value; and
      
      decrypting the data previously encrypted using the regenerated secret cryptographic key.
  - 4. The user computer of claim 1, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the user computer to perform operations comprising:
    - providing a user identifier for uniquely identifying the user computer to the server;
      
      communicating the user identifier to the server with the first value; and
      
      encoding the user identifier in the first value.
  - 5. The user computer of claim 4, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the user computer to perform operations comprising:
    - retrieving a server identifier and encoding the server identifier in the first value; and
      
      encoding the server identifier in the cryptographic key.
  - 6. The user computer of claim 1, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the user computer to perform operations comprising:
    - providing a user identifier for uniquely identifying the user computer to the server; and
      
      encoding the user identifier in the cryptographic key.
  - 7. The user computer of claim 1, wherein the communicating by the user computer with a server via a network to generate a secret cryptographic key of the user computer further comprises:
    - establishing, via interaction of the user computer and the server, a secure channel over the network, wherein the communicating by the user computer and server is conducted over the secure channel.
  - 8. The user computer of claim 1, wherein:
    - encoding the secret user value and the input password is performed using a hash function to perform the encoding; and
      
      generating the secret cryptographic key is performed by encoding the second value, the input password and the secret user value via the hash function.

9. A server comprising:
- a memory havingcomputer readable program instructionsand storing a secret user value, a secret server value and a check value which encodes the secret user value and a user password;
  
  a processor, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the server to perform operations comprising;
  
  communicating by the server with a user computer for use in generating a secret cryptographic key of the user computer, which is connectable to the server via a network, the communicating comprising;
  
  comparing, in response to receipt from the user computer of a first value which corresponds to the check value and is produced by encoding the secret user value and an input password, the first value and the check value to check whether the it password equals the user password;
  
  encoding, in response to the checked input password equaling the user password, the first value and the secret server value to produce a second value;
  
  and communicating the second value to the user computer, the second value to be used by the user computer for use in generating the secret cryptographic key of the user computer by encoding the second value, the input password, and the secret user value.
- View Dependent Claims (10, 11, 12, 13, 14)
- - 10. The server of claim 9, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the server to perform operations comprising:
    - receiving from the user computer a user identifier for uniquely identifying the user computer to the server, andencoding the user identifier in the second value.
  - 11. The server of claim 9, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the server to perform operations comprising:
    - providing a server identifier for uniquely identifying the server to the user computer;
      
      encoding the server identifier in the second value.
  - 12. The server of claim 9, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the server to perform operations comprising:
    - establishing, via interaction of the server and the user computer, a secure channel over the network, wherein the communicating by the server and user computer is conducted over the secure channel.
  - 13. The server of claim 9, wherein the processor, in response to retrieval and execution of the computer readable program instructions, causes the server to perform operations comprising:
    - implementing a throttling mechanism in dependence on whether the input password equals the user password.
  - 14. The server of claim 9, wherein:
    - the check value encodes the secret user value and the user password via a hash function; and
      
      encoding the second value is performed by encoding the first value and the secret server value via the hash function.

15. A method, comprising:
- communicating by the user computer with a server via a network to generate a secret cryptographic key of the user computer,the server storing, a secret server value and a check value which encodes a secret user value of the user computer and a user password,the communicating comprising;
  
  encoding, in response to input via the user interface of an input password, the secret user value and the input password to produce a first value corresponding to the check value, and to communicate the first value to the server via the communications interface;
  
  generating,in response to receiving from the server a second value produced by encoding the first value and the secret server value when the first value and the check value are compared to determine that the input password equals the user password,the secret cryptographic key by encoding the second value, the input password and the secret user value;
  
  and performing, using the secret cryptographic key, a cryptographic operation on data.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The method of claim 15, further comprising deleting the input password, the first value, the second value and the secret cryptographic key after performing the cryptographic operation on the data.
  - 17. The method of claim 16, further comprising:
    - regenerating, after deleting, the input password, the first value, the second value and the secret cryptographic key, the regenerating using the encoding, the secret user value and the input password to produce a first value corresponding to the check value, communicating the first value to the server via the communications interface, and the generating, in response to communication by the server of a second value produced by encoding the first value and the secret server value, the secret cryptographic key by encoding the second value, the input password and the secret user value; and
      
      decrypting the data previously encrypted using the regenerated secret cryptographic key.
  - 18. The method of claim 15, further comprising:
    - providing a user identifier for uniquely identifying the user computer to the server;
      
      communicating the user identifier to the server with the first value; and
      
      encoding the user identifier in the first value.
  - 19. The method of claim 18, further comprising:
    - retrieving a server identifier and encoding the server identifier in the first value; and
      
      encoding the server identifier in the cryptographic key.
  - 20. The method of claim 15, further comprising:
    - providing a user identifier for uniquely identifying the user computer to the server; and
      
      encoding the user identifier in the cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
International Business Machines Corporation
Inventors
Camenisch, Jan, Enderlein, Robert, Krenn, Stephan, Lehmann, Anja, Neven, Gregory
Primary Examiner(s)
Vaughan, Michael R
Assistant Examiner(s)
McCoy, Richard A

Application Number

US15/680,804
Publication Number

US 20170373846A1
Time in Patent Office

368 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 9/0863 involving passwords or one-...

Password-based generation and management of secret cryptographic keys

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Password-based generation and management of secret cryptographic keys

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links