System and method for sharing keys across authenticators

US 10,237,070 B2
Filed: 12/31/2016
Issued: 03/19/2019
Est. Priority Date: 12/31/2016
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

first logic and circuitry to generate and store a persistent group identification code (Group-ID) for a group of authenticators sharing a common set of authentication (Uauth) keys, an initial Group-ID to be generated on a first use of a first authenticator and/or following a factory reset of the first authenticator;

second logic and circuitry of the first authenticator to generate and store an individual asymmetric wrapping key encryption key (WKEK) on a first use of the first authenticator and/or following each factory reset of the first authenticator;

third logic and circuitry to generate and store a symmetric wrapping key (WK), the symmetric wrapping key to be generated on a first use of the first authenticator and/or following each factory reset of the first authenticator;

fourth logic and circuitry of the first authenticator to generate a join-block using an authenticator identification code for the first authenticator and the asymmetric WKEK, the join-block usable to join an existing authenticator group, the join block to be sent to a second authenticator;

fifth logic and circuitry of a second authenticator to verify the join-block and generate a join response block responsive to user approval, the join response block generated by encrypting the symmetric WK and Group-ID using the asymmetric WKEK, the join response block to be transmitted to the first authenticator;

sixth logic and circuitry on the first authenticator to decrypt the join response block and store the symmetric WK and Group-ID;

a cloud service in communication with the first authenticator, the cloud service to generate a nonce and securely transmit the nonce to the first authenticator;

seventh logic and circuitry of the first authenticator to generate a sync-pull-request using the nonce, the Group-ID, a Cloud storage access ID encryption key (CSEK), and the asymmetric WKEK, and to transmit the sync-pull request to the Cloud service; and

the cloud service to decrypt the sync pull request and compare data contained therein to stored data and to generate a sync pull response including the stored data if the data in the sync pull request is different from the stored data.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system, apparatus, method, and machine readable medium are described for sharing authentication data. For example, one embodiment of a method comprises: generating and storing a persistent group identification code (Group-ID) for a group of authenticators sharing a common set of authorization (Uauth) keys, an initial Group-ID to be generated on a first use of a first authenticator and/or following a factory reset of the first authenticator generating and storing an individual asymmetric wrapping key encryption key (WKEK) on a first use of the first authenticator and/or following each factory reset of the first authenticator; generating and storing a symmetric wrapping key (WK), the wrapping key to be generated on a first use of the first authenticator and/or following each factory reset of the first authenticator; generating a join-block using an authenticator identification code for the first authenticator and the WKEK, the join-block usable to join an existing authenticator group, the join block to be sent to a second authenticator; verifying the join-block at the second authenticator and generating a join response block responsive to user approval, the join response block generated by encrypting the WK and Group-ID using the WKEK, the join response block to be transmitted to the first authenticator; and decrypting the join response block and storing the WK and Group-ID.

Citations

22 Claims

1. A system comprising:
- first logic and circuitry to generate and store a persistent group identification code (Group-ID) for a group of authenticators sharing a common set of authentication (Uauth) keys, an initial Group-ID to be generated on a first use of a first authenticator and/or following a factory reset of the first authenticator;
  
  second logic and circuitry of the first authenticator to generate and store an individual asymmetric wrapping key encryption key (WKEK) on a first use of the first authenticator and/or following each factory reset of the first authenticator;
  
  third logic and circuitry to generate and store a symmetric wrapping key (WK), the symmetric wrapping key to be generated on a first use of the first authenticator and/or following each factory reset of the first authenticator;
  
  fourth logic and circuitry of the first authenticator to generate a join-block using an authenticator identification code for the first authenticator and the asymmetric WKEK, the join-block usable to join an existing authenticator group, the join block to be sent to a second authenticator;
  
  fifth logic and circuitry of a second authenticator to verify the join-block and generate a join response block responsive to user approval, the join response block generated by encrypting the symmetric WK and Group-ID using the asymmetric WKEK, the join response block to be transmitted to the first authenticator;
  
  sixth logic and circuitry on the first authenticator to decrypt the join response block and store the symmetric WK and Group-ID;
  
  a cloud service in communication with the first authenticator, the cloud service to generate a nonce and securely transmit the nonce to the first authenticator;
  
  seventh logic and circuitry of the first authenticator to generate a sync-pull-request using the nonce, the Group-ID, a Cloud storage access ID encryption key (CSEK), and the asymmetric WKEK, and to transmit the sync-pull request to the Cloud service; and
  
  the cloud service to decrypt the sync pull request and compare data contained therein to stored data and to generate a sync pull response including the stored data if the data in the sync pull request is different from the stored data.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The system as in claim 1 further comprising:
    - eighth logic and/or circuitry on the first authenticator to decrypt the sync pull response and to securely store the data contained therein to synchronize with the existing authenticator group.
  - 3. The system as in claim 2 further comprising:
    - ninth logic and/or circuitry in the first authenticator to trigger generation of a sync-push-request to encrypt a set of data with the CSEK, the set of data including a nonce and the Group-ID.
  - 4. The system as in claim 1 wherein the seventh logic and/or circuitry is to further calculate a hash of internal persistent memory of the first authenticator, the hash signed by an attestation key of the first authenticator and then encrypted with the CSEK.
  - 5. The system as in claim 1 wherein the fourth logic and/or circuitry of the first authenticator is to generate the join-block using a concatenation of a nonce value, an authenticator identification code for the first authenticator, and the asymmetric WKEK, and signed with an attestation key of the first authenticator.
  - 6. The system as in claim 4 wherein the fifth logic and/or circuitry is to generate the join response block encrypting a concatenation of the symmetric WK and Group-ID using the asymmetric WKEK.
  - 7. The system as in claim 1 wherein the seventh logic and circuitry is to generate the sync-pull-request by encrypting a concatenation of the nonce, the Group-ID, and a hash over an internal persistent memory of the first authenticator using the CSEK.
  - 8. The system as in claim 1 further comprising:
    - a cloud-based join authenticator of the cloud service to initially register the second authenticator by creating a partition for the second authenticator, the partition usable to store key material for the second authenticator; and
      
      the cloud-based join authenticator to allow the first authenticator to be registered using the partition only if the first authenticator shares an authenticator attestation ID with the second authenticator.
  - 9. The system as in claim 1 further comprising:
    - initially registering a cloud-based join authenticator by authenticating with the cloud service from the first authenticator, sending a join block from the cloud-based join authenticator, and providing a join response block to the cloud-based join authenticator, wherein the cloud-based join authenticator stores the Group-ID and symmetric WK in a created partition.
  - 10. The system as in claim 1 further comprising:
    - a data migration card to securely store one or more keys on behalf of the second authenticator, the second authenticator to provide the keys to the data migration card only if the data migration card is determined to have an acceptable level of security.
  - 11. The system as in claim 10 further comprising:
    - the data migration card to restore the one or more keys to a first authenticator, only if the first authenticator has acceptable security characteristics.

12. A method comprising:
- generating and storing a persistent group identification code (Group-ID) for a group of authenticators sharing a common set of authorization (Uauth) keys, an initial Group-ID to be generated on a first use of a first authenticator and/or following a factory reset of the first authenticator;
  
  generating and storing an individual asymmetric wrapping key encryption key (WKEK) on a first use of the first authenticator and/or following each factory reset of the first authenticator;
  
  generating and storing a symmetric wrapping key (WK), the symmetric wrapping key to be generated on a first use of the first authenticator and/or following each factory reset of the first authenticator;
  
  generating a join-block using an authenticator identification code for the first authenticator and the asymmetric WKEK, the join-block usable to join an existing authenticator group, the join block to be sent to a second authenticator;
  
  verifying the join-block at the second authenticator and generating a join response block responsive to user approval, the join response block generated by encrypting the symmetric WK and Group-ID using the asymmetric WKEK, the join response block to be transmitted to the first authenticator;
  
  decrypting the join response block and storing the symmetric WK and Group-ID;
  
  generating a nonce at a cloud service and securely transmitting the nonce to the first authenticator;
  
  generating a sync-pull-request at the first authenticator using the nonce, the Group-ID, a Cloud storage access ID encryption key (CSEK), and the asymmetric WKEK, and transmitting the sync-pull request to the Cloud service; and
  
  decrypting the sync pull request at the cloud service, comparing data contained therein to stored data, and generating a sync pull response including the stored data if the data in the sync pull request is different from the stored data.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method as in claim 12 further comprising:
    - decrypting the sync pull response on the first authenticator and securely storing the data contained therein to synchronize with the existing authenticator group.
  - 14. The method as in claim 13 further comprising:
    - triggering generation of a sync-push-request on the first authenticator to encrypt a set of data with the CSEK, the set of data including a nonce and the Group-ID.
  - 15. The method as in claim 12 further comprising:
    - calculating a hash of internal persistent memory of the first authenticator, the hash signed by an attestation key of the first authenticator and then encrypted with the CSEK.
  - 16. The method as in claim 12 wherein the first authenticator is to generate the join-block using a concatenation of a nonce value, an authenticator identification code for the first authenticator, and the asymmetric WKEK, and signed with an attestation key of the first authenticator.
  - 17. The method as in claim 15 further comprising:
    - generating the join response block encrypting a concatenation of the symmetric WK and Group-ID using the asymmetric WKEK.
  - 18. The method as in claim 12 further comprising:
    - generating the sync-pull-request by encrypting a concatenation of the nonce, the Group-ID, and a hash over an internal persistent memory of the first authenticator using the CSEK.
  - 19. The method as in claim 12 further comprising:
    - initially registering the second authenticator by a cloud-based join authenticator of the cloud service, by creating a partition for the second authenticator, the partition usable to store key material for the second authenticator;
      
      the cloud-based join authenticator to allow the first authenticator to be registered using the partition only if the first authenticator shares an authenticator attestation ID with the second authenticator.
  - 20. The method as in claim 12 further comprising:
    - initially registering a cloud-based join authenticator by authenticating with the cloud service from the first authenticator, sending a join block from the cloud-based join authenticator, and providing a join response block to the cloud-based join authenticator, wherein the cloud-based join authenticator stores the Group-ID and symmetric WK in a created partition.
  - 21. The method as in claim 12 further comprising:
    - securely storing one or more keys on a data migration card on behalf of the second authenticator, the second authenticator to provide the keys to the data migration card only if the data migration card is determined to have an acceptable level of security.
  - 22. The method as in claim 21 further comprising:
    - restoring the one or more keys to a first authenticator from the data migration card only if the first authenticator has acceptable security characteristics.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Nok Nok Labs Incorporated
Original Assignee
Nok Nok Labs Incorporated
Inventors
Lindemann, Rolf
Primary Examiner(s)
Nipa, Wasika

Application Number

US15/396,454
Publication Number

US 20180191501A1
Time in Patent Office

808 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/32   using biometric data, e.g. ...

G06F 3/0608   Saving storage space on sto...

G06F 3/0647   Migration mechanisms

G06F 3/0683   Plurality of storage devices

H04L 9/0822   using key encryption key

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0833   involving conference or gro...

H04L 9/0861   Generation of secret inform...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/14   using a plurality of keys o...

H04L 9/3231   Biological data, e.g. finge...

System and method for sharing keys across authenticators

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for sharing keys across authenticators

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links