Session negotiations
First Claim
Patent Images
1. A computer-implemented method, comprising:
- at a first security module of a plurality of security modules;
obtaining, from an operator device, a first request for a session key;
in response to the first request, using a domain key to encrypt one or more session keys and information usable to identify the operator device, the domain key accessible to each of the plurality of security modules; and
providing the one or more session keys and encrypted one or more session keys to the operator device; and
at a second security module, different from the first security module, of the plurality of security modules;
obtaining, from the operator device, a second request to perform a cryptographic operation, the second request including data, an encrypted session key from the encrypted one or more session keys, and a digital signature generated based at least in part on the session key;
using the domain key to decrypt the encrypted session key and the information usable to identify the operator device;
verifying that the operator device matches the information usable to identify the operator device;
using the session key to verify the digital signature;
as a result of verifying the digital signature and verifying that the operator device matches the information usable to identify the operator device, performing the requested cryptographic operation using at least the data;
using the session key to encrypt a result of performing the requested cryptographic operation; and
providing the encrypted result to the operator device.
1 Assignment
0 Petitions
Accused Products
Abstract
A plurality of devices are each operable to provide information that is usable for to prove authorization with any of the other devices. The devices may have common access to a cryptographic key. A device may use the cryptographic key to encrypt a session key and provide both the session key and the encrypted session key. Requests to any of the devices can include the encrypted session key and a digital signature generated using the session key. In this manner, a device that receives the request can decrypt the session key and use the decrypted session key to verify the digital signature.
211 Citations
21 Claims
-
1. A computer-implemented method, comprising:
-
at a first security module of a plurality of security modules; obtaining, from an operator device, a first request for a session key; in response to the first request, using a domain key to encrypt one or more session keys and information usable to identify the operator device, the domain key accessible to each of the plurality of security modules; and providing the one or more session keys and encrypted one or more session keys to the operator device; and at a second security module, different from the first security module, of the plurality of security modules; obtaining, from the operator device, a second request to perform a cryptographic operation, the second request including data, an encrypted session key from the encrypted one or more session keys, and a digital signature generated based at least in part on the session key; using the domain key to decrypt the encrypted session key and the information usable to identify the operator device; verifying that the operator device matches the information usable to identify the operator device; using the session key to verify the digital signature; as a result of verifying the digital signature and verifying that the operator device matches the information usable to identify the operator device, performing the requested cryptographic operation using at least the data; using the session key to encrypt a result of performing the requested cryptographic operation; and providing the encrypted result to the operator device. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-implemented method, comprising:
-
obtaining a request, from a requestor, to perform a cryptographic operation, the request including data, a ciphertext of a first key and information usable to identify the requestor, and authentication information generated based at least in part on the first key; decrypting the ciphertext using a second key accessible to a plurality of security devices to obtain the first key and the information usable to identify the requestor; verifying that the requestor matches the information usable to identify the requestor; verifying authenticity of the request based at least in part on the authentication information and the first key; as a result of verifying the authenticity of the request and verifying that the requestor matches the information usable to identify the requestor, performing the cryptographic operation using at least the data; using the first key to encrypt a result of performing the cryptographic operation; and providing the encrypted result to the requestor. - View Dependent Claims (8, 9, 10, 11, 12, 13)
-
-
14. A system, comprising memory to store instructions that, as a result of execution by one or more processors, cause the system to:
-
generate, based at least in part on a first key accessible to each of a plurality of devices, information that is usable, by another device of the plurality of devices lacking access to the first key, for causing any device of the plurality of devices to provide a result of performance of one or more requested cryptographic operations, wherein the information comprises; authentication information to authenticate a request to perform the one or more requested cryptographic operations; and an encrypted second key in encrypted data that is separate from the authentication information, the second key being usable to verify the authentication information; and provide the generated information. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21)
-
Specification