System and method for sharing keys across authenticators
First Claim
1. A system comprising:
- first logic and circuitry to generate and store a persistent group identification code (Group-ID) for a group of authenticators sharing a common set of authentication (Uauth) keys, an initial Group-ID to be generated on a first use of a first authenticator and/or following a factory reset of the first authenticator;
second logic and circuitry of the first authenticator to generate and store an individual asymmetric wrapping key encryption key (WKEK) on a first use of the first authenticator and/or following each factory reset of the first authenticator;
third logic and circuitry to generate and store a symmetric wrapping key (WK), the symmetric wrapping key to be generated on a first use of the first authenticator and/or following each factory reset of the first authenticator;
fourth logic and circuitry of the first authenticator to generate a join-block using an authenticator identification code for the first authenticator and the asymmetric WKEK, the join-block usable to join an existing authenticator group, the join block to be sent to a second authenticator;
fifth logic and circuitry of a second authenticator to verify the join-block and generate a join response block responsive to user approval, the join response block generated by encrypting the symmetric WK and Group-ID using the asymmetric WKEK, the join response block to be transmitted to the first authenticator;
sixth logic and circuitry on the first authenticator to decrypt the join response block and store the symmetric WK and Group-ID;
a cloud service in communication with the first authenticator, the cloud service to generate a nonce and securely transmit the nonce to the first authenticator;
seventh logic and circuitry of the first authenticator to generate a sync-pull-request using the nonce, the Group-ID, a Cloud storage access ID encryption key (CSEK), and the asymmetric WKEK, and to transmit the sync-pull request to the Cloud service; and
the cloud service to decrypt the sync pull request and compare data contained therein to stored data and to generate a sync pull response including the stored data if the data in the sync pull request is different from the stored data.
3 Assignments
0 Petitions
Accused Products
Abstract
A system, apparatus, method, and machine readable medium are described for sharing authentication data. For example, one embodiment of a method comprises: generating and storing a persistent group identification code (Group-ID) for a group of authenticators sharing a common set of authorization (Uauth) keys, an initial Group-ID to be generated on a first use of a first authenticator and/or following a factory reset of the first authenticator generating and storing an individual asymmetric wrapping key encryption key (WKEK) on a first use of the first authenticator and/or following each factory reset of the first authenticator; generating and storing a symmetric wrapping key (WK), the wrapping key to be generated on a first use of the first authenticator and/or following each factory reset of the first authenticator; generating a join-block using an authenticator identification code for the first authenticator and the WKEK, the join-block usable to join an existing authenticator group, the join block to be sent to a second authenticator; verifying the join-block at the second authenticator and generating a join response block responsive to user approval, the join response block generated by encrypting the WK and Group-ID using the WKEK, the join response block to be transmitted to the first authenticator; and decrypting the join response block and storing the WK and Group-ID.
-
Citations
22 Claims
-
1. A system comprising:
-
first logic and circuitry to generate and store a persistent group identification code (Group-ID) for a group of authenticators sharing a common set of authentication (Uauth) keys, an initial Group-ID to be generated on a first use of a first authenticator and/or following a factory reset of the first authenticator; second logic and circuitry of the first authenticator to generate and store an individual asymmetric wrapping key encryption key (WKEK) on a first use of the first authenticator and/or following each factory reset of the first authenticator; third logic and circuitry to generate and store a symmetric wrapping key (WK), the symmetric wrapping key to be generated on a first use of the first authenticator and/or following each factory reset of the first authenticator; fourth logic and circuitry of the first authenticator to generate a join-block using an authenticator identification code for the first authenticator and the asymmetric WKEK, the join-block usable to join an existing authenticator group, the join block to be sent to a second authenticator; fifth logic and circuitry of a second authenticator to verify the join-block and generate a join response block responsive to user approval, the join response block generated by encrypting the symmetric WK and Group-ID using the asymmetric WKEK, the join response block to be transmitted to the first authenticator; sixth logic and circuitry on the first authenticator to decrypt the join response block and store the symmetric WK and Group-ID; a cloud service in communication with the first authenticator, the cloud service to generate a nonce and securely transmit the nonce to the first authenticator; seventh logic and circuitry of the first authenticator to generate a sync-pull-request using the nonce, the Group-ID, a Cloud storage access ID encryption key (CSEK), and the asymmetric WKEK, and to transmit the sync-pull request to the Cloud service; and the cloud service to decrypt the sync pull request and compare data contained therein to stored data and to generate a sync pull response including the stored data if the data in the sync pull request is different from the stored data. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A method comprising:
-
generating and storing a persistent group identification code (Group-ID) for a group of authenticators sharing a common set of authorization (Uauth) keys, an initial Group-ID to be generated on a first use of a first authenticator and/or following a factory reset of the first authenticator; generating and storing an individual asymmetric wrapping key encryption key (WKEK) on a first use of the first authenticator and/or following each factory reset of the first authenticator; generating and storing a symmetric wrapping key (WK), the symmetric wrapping key to be generated on a first use of the first authenticator and/or following each factory reset of the first authenticator; generating a join-block using an authenticator identification code for the first authenticator and the asymmetric WKEK, the join-block usable to join an existing authenticator group, the join block to be sent to a second authenticator; verifying the join-block at the second authenticator and generating a join response block responsive to user approval, the join response block generated by encrypting the symmetric WK and Group-ID using the asymmetric WKEK, the join response block to be transmitted to the first authenticator; decrypting the join response block and storing the symmetric WK and Group-ID; generating a nonce at a cloud service and securely transmitting the nonce to the first authenticator; generating a sync-pull-request at the first authenticator using the nonce, the Group-ID, a Cloud storage access ID encryption key (CSEK), and the asymmetric WKEK, and transmitting the sync-pull request to the Cloud service; and decrypting the sync pull request at the cloud service, comparing data contained therein to stored data, and generating a sync pull response including the stored data if the data in the sync pull request is different from the stored data. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
Specification