System and method for using a unique identifier for encryption key derivation
First Claim
1. A method for securing data, said method comprising:
- receiving a first password corresponding to a software application;
generating a first mask value based on the first password;
combining the first mask value with a first encryption key, wherein the first encryption key is derived from a generated key and a known value, the combining resulting in a tied key;
receiving a second password corresponding to the software application;
generating a second mask value based on the second password;
separating a recovered encryption key from the tied key using the second mask value, the recovered encryption key including a recovered generated key and a recovered known value; and
encrypting data using the recovered generated key.
1 Assignment
0 Petitions
Accused Products
Abstract
A system and method for using a unique identifier for encryption key derivation is presented. An application sends a password and a request for an encryption key to a hardware security module (HSM). The HSM uses the password to generate a tied application data encryption key (ADEK). The tied ADEK includes an encryption key and a known value that is “tied” to the password. The HSM encrypts the tied ADEK with a hardware master key and sends it to the application. When the application requests to encrypt or decrypt data, the application sends the encrypted tied ADEK and a password to the HSM. The password corresponds to the password used to generate the tied ADEK. The HSM uses an identical hardware master key and the password to recover the ADEK. The HSM also verifies that the known value is correct.
-
Citations
20 Claims
-
1. A method for securing data, said method comprising:
-
receiving a first password corresponding to a software application;
generating a first mask value based on the first password;
combining the first mask value with a first encryption key, wherein the first encryption key is derived from a generated key and a known value, the combining resulting in a tied key;
receiving a second password corresponding to the software application;
generating a second mask value based on the second password;
separating a recovered encryption key from the tied key using the second mask value, the recovered encryption key including a recovered generated key and a recovered known value; and
encrypting data using the recovered generated key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An information handling system comprising:
-
one or more processors;
a memory accessible by the processors;
one or more nonvolatile storage devices accessible by the processors;
a hardware security module accessible by the processors;
a data security tool for securing data using the hardware security module, the data security tool including;
means for receiving a first password corresponding to a software application;
means for generating a first mask value based on the first password using the hardware security module;
means for combining the first mask value with a first encryption key using the hardware security module, wherein the first encryption key is derived from a generated key and a known value, the combining resulting in a tied key;
means for receiving a second password corresponding to the software application;
means for generating a second mask value based on the second password using the hardware security module;
means for separating a recovered encryption key from the tied key using the second mask value, the recovered encryption key including a recovered generated key and a recovered known value; and
means for encrypting data using the recovered generated key. - View Dependent Claims (9, 10, 11, 12, 13)
-
-
14. A computer program product stored in a computer operable media for securing data, said computer program product comprising:
-
means for receiving a first password corresponding to a software application;
means for generating a first mask value based on the first password;
means for combining the first mask value with a first encryption key, wherein the first encryption key is derived from a generated key and a known value, the combining resulting in a tied key;
means for receiving a second password corresponding to the software application;
means for generating a second mask value based on the second password;
means for separating a recovered encryption key from the tied key using the second mask value, the recovered encryption key including a recovered generated key and a recovered known value; and
means for encrypting data using the recovered generated key. - View Dependent Claims (15, 16, 17, 18, 19, 20)
-
Specification