Method for key rotation

US 10,063,531 B2
Filed: 08/24/2017
Issued: 08/28/2018
Est. Priority Date: 07/27/2015
Status: Active Grant

First Claim

Patent Images

1. A method for cryptographic key rotation, the method comprising:

providing a cryptographic key rotation request to a client device to implement a cryptographic key rotation between the client device and a remote computing server, wherein the cryptographic key rotation causes the client device to generate one or more new cryptographic keys that are used to replace one or more pre-existing cryptographic keys stored at the client device and the remote computing server;

in response to receiving the key rotation request, generating a new asymmetric cryptographic key pair comprising a new private cryptographic key and a new public cryptographic key defining a public/private cryptographic key pair;

generating, at the client device, a key rotation communication that includes the new public cryptographic key of the new asymmetric cryptographic key pair, wherein the client device maintains the new private cryptographic key and does not transmit the new private cryptographic key pair to the remote computing server;

at the client device, using a pre-existing private cryptographic key of a pre-existing asymmetric cryptographic key pair to cryptographically sign the key rotation communication;

transmitting, via a network, to the remote computing server the cryptographically signed key rotation communication;

completing the cryptographic key rotation, wherein the completing includes;

(i) after transmitting the cryptographically signed key rotation communication, replacing, at the client device, the pre-existing private cryptographic key with the new private cryptographic key by ceasing a use of the pre-existing private cryptographic key in future communications with the remote computing server; and

(ii) after receiving, at the remote computing server, the cryptographically signed key rotation communication, decrypting by the remote computing server the cryptographically signed key rotation communication with a pre-existing public cryptographic key of the pre-existing asymmetric cryptographic key pair, replacing the pre-existing public cryptographic key with the new public cryptographic obtained from the cryptographically signed key rotation communication, wherein the remote computing server uses the new public cryptographic key in the future communications with the client device.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for key rotation includes initiating key rotation for a user account of a multi-factor authentication platform enabling one-time password authentication using a first symmetric cryptographic key; generating, at an authenticating device, a second symmetric cryptographic key; transmitting, at the authenticating device, the second symmetric cryptographic key to the multi-factor authentication platform; configuring the multi-factor authentication platform and the authenticating device to disable authentication that uses the first symmetric cryptographic key; and configuring the multi-factor authentication platform and the authenticating device to enable authentication that uses the second symmetric cryptographic key.

Citations

14 Claims

1. A method for cryptographic key rotation, the method comprising:
- providing a cryptographic key rotation request to a client device to implement a cryptographic key rotation between the client device and a remote computing server, wherein the cryptographic key rotation causes the client device to generate one or more new cryptographic keys that are used to replace one or more pre-existing cryptographic keys stored at the client device and the remote computing server;
  
  in response to receiving the key rotation request, generating a new asymmetric cryptographic key pair comprising a new private cryptographic key and a new public cryptographic key defining a public/private cryptographic key pair;
  
  generating, at the client device, a key rotation communication that includes the new public cryptographic key of the new asymmetric cryptographic key pair, wherein the client device maintains the new private cryptographic key and does not transmit the new private cryptographic key pair to the remote computing server;
  
  at the client device, using a pre-existing private cryptographic key of a pre-existing asymmetric cryptographic key pair to cryptographically sign the key rotation communication;
  
  transmitting, via a network, to the remote computing server the cryptographically signed key rotation communication;
  
  completing the cryptographic key rotation, wherein the completing includes;
  
  (i) after transmitting the cryptographically signed key rotation communication, replacing, at the client device, the pre-existing private cryptographic key with the new private cryptographic key by ceasing a use of the pre-existing private cryptographic key in future communications with the remote computing server; and
  
  (ii) after receiving, at the remote computing server, the cryptographically signed key rotation communication, decrypting by the remote computing server the cryptographically signed key rotation communication with a pre-existing public cryptographic key of the pre-existing asymmetric cryptographic key pair, replacing the pre-existing public cryptographic key with the new public cryptographic obtained from the cryptographically signed key rotation communication, wherein the remote computing server uses the new public cryptographic key in the future communications with the client device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the remote computing server is implemented by a multi-factor authentication service that transmits secondary authentication requests to the device, wherein the client device uses the new private cryptographic key to cryptographically signs an authentication response to the secondary authentication prior to transmitting the authentication response to the multi-factor authentication service.
  - 3. The method of claim 2, wherein:
    - wherein the cryptographic key rotation request is generated at an automated security monitoring module in response to detection of suspicious activity associated with symmetric cryptographic keys accessible to the multi-factor authentication platform.
  - 4. The method of claim 1, wherein the client device comprises a user device that uses a hardware random number generator or a hardware pseudo random number generator to generate the new asymmetric cryptographic key pair.
  - 5. The method of claim 1, further comprising:
    - in response to receiving the key rotation request, generating a new symmetric cryptographic key;
      
      generating, at the client device, the key rotation communication that includes the new public cryptographic key of the new asymmetric cryptographic key pair and the new symmetric key, wherein the client device maintains a copy of the new symmetric key; and
      
      at the client device, using the pre-existing private cryptographic key of the pre-existing asymmetric cryptographic key pair to cryptographically sign the key rotation communication; and
      
      transmitting, via the network, to the remote computing server the cryptographically signed key rotation communication that includes the new symmetric key.
  - 6. The method of claim 5, further comprising:
    - after the transmission of the cryptographically signed key rotation communication, replacing a pre-existing symmetric key at both the client device and the remote computing server and ceasing a use of the pre-existing symmetric.
  - 7. The method of claim 6, wherein:
    - the client device participates in authentication by generating a one-time password using the new symmetric cryptographic key.
  - 8. The method of claim 1, further comprising:
    - at the remote computing server, periodically generating key rotation requests that causes the client device to generate the one or more new cryptographic keys that are used to replace the one or more pre-existing cryptographic keys stored at the client device and the remote computing server; and
      
      periodically transmitting, by the remote computing server, the key rotation requests to the client device.
  - 9. The method of claim 1, further comprising:
    - detecting a compromising event at the remote computing server, wherein the compromising event indicates that the pre-existing public cryptographic key at the remote computing server has been improperly compromised;
      
      in response to detecting the comprising event, generating at the remote computing server the key rotation request; and
      
      transmitting the key rotation request to the client device.
  - 10. The method of claim 1, further comprising:
    - detecting a compromising event at the client device, wherein the compromising event indicates that the pre-existing private cryptographic key at the client device has been improperly compromised;
      
      in response to detecting the comprising event, automatically generating at the client device the new asymmetric cryptographic key pair comprising the new private cryptographic key and the new public cryptographic key defining the public/private cryptographic key pair; and
      
      transmitting, by the client device, to the remote computing server the new public cryptographic key.
  - 11. The method of claim 1, wherein:
    - the key rotation request comprises a request to generate a new symmetric key for the client device and remote computing server; and
      
      implementing a Diffie-Hellman cooperation between the client device and the remote computing device to generate a new shared symmetric cryptographic key, wherein Diffie-Hellman comprises a secure cryptographic key-exchange process that does not require a transmission of the new shared symmetric cryptographic key, wherein in response to generating the new shared symmetric cryptographic key, disabling a pre-existing symmetric cryptographic key at both the client device and the remote computing device.
  - 12. The method of claim 1, wherein:
    - the client device comprises an authentication device of a user, wherein using the authentication device is enabled to perform a multi-factor authentication in response to an authentication request from the remote computing server, andafter the cryptographic key rotation, the authentication device performs multi-factor authentication using the new private cryptographic key to cryptographically sign one or more authentication responses to one or more authentication requests from the remote computing server.
  - 13. The method of claim 1, wherein:
    - the remote computing server is implemented by a multifactor authentication service;
      
      a service provider using the multifactor authentication service generates the cryptographic key rotation request; and
      
      in response to generating the cryptographic key rotation request, transmitting the cryptographic key rotation request to the multifactor authentication service or the client device.

14. A method for key rotation comprising:
- initiating cryptographic key rotation for a user account of a multi-factor authentication platform, wherein an authenticating device participates in authentication with the multi-factor authentication platform by generating an authentication response to an authentication request and signing the authenticating response using a first private cryptographic key of a first asymmetric key set, wherein the first asymmetric key set includes the first private cryptographic key that is stored by the authenticating device and a first public cryptographic key that is stored by the multi-factor authentication platform;
  
  in response to initiating the cryptographic key rotation, generating, at the authenticating device, a second symmetric cryptographic key;
  
  signing, at the authenticating device, the second symmetric cryptographic key with the first private cryptographic key;
  
  transmitting, by the authenticating device, the signed second symmetric cryptographic key to the multi-factor authentication platform;
  
  configuring the multi-factor authentication platform and the authenticating device to;
  
  (i) disable authentication that uses a first symmetric cryptographic key; and
  
  (ii) enable authentication that uses the second symmetric cryptographic key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Duo Security Incorporated (Cisco Systems, Inc.)
Inventors
Oberheide, Jon, Goodman, Adam
Primary Examiner(s)
Hoffman, Brandon S

Application Number

US15/685,626
Publication Number

US 20180007025A1
Time in Patent Office

369 Days
Field of Search

None
US Class Current
CPC Class Codes

H04L 2463/082   applying multi-factor authe...

H04L 63/068   using time-dependent keys, ...

H04L 63/083   using passwords cryptograph...

H04L 9/0863   involving passwords or one-...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/3228   One-time or temporary data,...

Method for key rotation

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

14 Claims

Specification

Solutions

Use Cases

Quick Links

Method for key rotation

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

14 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links