Method and apparatus for lightweight rekeying of a master key in a single sign-on system
First Claim
1. A method for securing data elements within a database, the method comprising the steps of:
- generating a minor key;
encrypting a data element using the minor key;
storing the encrypted data element in the database;
retrieving a master key;
encoding the minor key with the master key to generate an encoded minor key; and
storing the encoded minor key.
1 Assignment
0 Petitions
Accused Products
Abstract
A method, system, apparatus, and computer program product are presented for significantly decreasing the computational effort for a rekeying process without sacrificing the security of a single sign-on system. For each user, a “minor” key is created when the user'"'"'s account within the single sign-on system is created; the user'"'"'s minor key is used to encrypt and decrypt the user'"'"'s target passwords. However, to protect the confidentiality of a user'"'"'s minor key, the minor key is not stored directly. Instead, a storage key is generated by masking a user'"'"'s minor key with the master key in an appropriate manner, e.g., using the user'"'"'s minor key and the master key as inputs to an exclusive-OR function to generate the storage key. A user'"'"'s storage key can then be stored without compromising the user'"'"'s minor key or the master key, and the user'"'"'s minor key can be efficiently regenerated using the storage key and the master key.
41 Citations
32 Claims
-
1. A method for securing data elements within a database, the method comprising the steps of:
-
generating a minor key;
encrypting a data element using the minor key;
storing the encrypted data element in the database;
retrieving a master key;
encoding the minor key with the master key to generate an encoded minor key; and
storing the encoded minor key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A method for securely managing target passwords, wherein the target passwords provide access to target resources within a data processing system, the method comprising the steps of:
-
generating a minor key for a user of the data processing system, wherein the user has a plurality of target passwords;
encrypting the plurality of target passwords using the minor key;
storing the plurality of encrypted target passwords in a database;
retrieving a master key;
encoding the minor key with the master key to generate an encoded minor key; and
storing the encoded minor key. - View Dependent Claims (12, 13, 14, 15, 17, 18, 19, 20, 21, 22, 23, 24, 25, 27, 28, 29, 30)
-
-
16. A computer program product in a computer-readable medium for use in a data processing system for securing data elements within a database, the computer program product comprising:
-
instructions for generating a minor key;
instructions for encrypting a data element using the minor key;
instructions for storing the encrypted data element in the database;
instructions for retrieving a master key;
instructions for encoding the minor key with the master key to generate an encoded minor key; and
instructions for storing the encoded minor key.
-
-
26. A computer program product in a computer-readable medium for use in a data processing system for securely managing target passwords, wherein the target passwords provide access to target resources within the data processing system, the computer program product comprising:
-
instructions for generating a minor key for a user of the data processing system, wherein the user has a plurality of target passwords;
instructions for encrypting the plurality of target passwords using the minor key;
instructions for storing the plurality of encrypted target passwords in a database;
instructions for retrieving a master key;
instructions for encoding the minor key with the master key to generate an encoded minor key; and
instructions for storing the encoded minor key.
-
-
31. An apparatus for securing data elements within a database, the apparatus comprising:
-
generating means for generating a minor key;
encrypting means for encrypting a data element using the minor key;
first storing means for storing the encrypted data element in the database;
retrieving means for retrieving a master key;
encoding means for encoding the minor key with the master key to generate an encoded minor key; and
second storing means for storing the encoded minor key.
-
-
32. An apparatus for securely managing target passwords, wherein the target passwords provide access to target resources within a data processing system, the apparatus comprising:
-
generating means for generating a minor key for a user of the data processing system, wherein the user has a plurality of target passwords;
encrypting means for encrypting the plurality of target passwords using the minor key;
first storing means for storing the plurality of encrypted target passwords in a database;
retrieving means for retrieving a master key;
encoding means for encoding the minor key with the master key to generate an encoded minor key; and
second storing means for storing the encoded minor key.
-
Specification