Remote secure authorization

US 20050102509A1
Filed: 12/02/2004
Published: 05/12/2005
Est. Priority Date: 10/07/2003
Status: Active Grant

First Claim

Patent Images

1. A method of distributing at least one enterprise network cryptographic key to a client attempting to access an enterprise network via an edge device of said enterprise network, the method comprising the steps of:

receiving first information from a client, encrypting said first information with a predefined enterprise network cryptographic key to generate a first cipher, sending said first cipher and a predefined unique identifier of said edge device of said enterprise network to an authentication server, receiving a second cipher from said authentication server, decrypting said second cipher with a predefined enterprise network cryptographic key to obtain a client cryptographic key, encrypting at least one predefined enterprise network cryptographic key with said client cryptographic key to generate a third cipher, and forwarding said third cipher to said client.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention discloses a technique provisioning network cryptographic keys to a client when direct physical transfer is not feasible. In an embodiment of the invention, a client token generates a temporary key encrypted with a first secret key known only in a master token database and passes this on to an enterprise network token of a network to which service is requested. The enterprise network token then further encrypts the encrypted temporary key with a second secret key and passes that on to the master token database. Since the second secret key is also known by the master token database, the originally encrypted temporary key can be securely decoded only by a master token coupled to the master token database. The decrypted temporary key can then be re-encrypted with a key known only by the enterprise network token and the master token, and returned to the enterprise network token. This allows the enterprise network token to gain secure access to the temporary key of the client token, thereby allowing the enterprise network token to securely provision the remote client token with the appropriate enterprise Network Keys.

Citations

13 Claims

1. A method of distributing at least one enterprise network cryptographic key to a client attempting to access an enterprise network via an edge device of said enterprise network, the method comprising the steps of:
- receiving first information from a client, encrypting said first information with a predefined enterprise network cryptographic key to generate a first cipher, sending said first cipher and a predefined unique identifier of said edge device of said enterprise network to an authentication server, receiving a second cipher from said authentication server, decrypting said second cipher with a predefined enterprise network cryptographic key to obtain a client cryptographic key, encrypting at least one predefined enterprise network cryptographic key with said client cryptographic key to generate a third cipher, and forwarding said third cipher to said client.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein said first information comprises a fourth cipher and a predefined unique identifier of said client, said fourth cipher including said client cryptographic key encrypted using a cryptographic key known only to said client and said authentication server.
  - 3. The method of claim 2, wherein said predefined unique identifier of said client and said edge device are a unique serial number corresponding to an individual token associated with said client and said edge device, respectively.
  - 4. The method of claim 3, wherein said cryptographic key known only to said client and said authentication server resides in said token associated with said client.
  - 5. The method of claim 2, wherein said authentication server performs the steps of:
    - identifying a predefined enterprise network cryptographic key associated with said predefined unique identifier of said edge device of said enterprise network, decrypting said first cipher using said identified, predefined enterprise network cryptographic key to obtain said first information, identifying said cryptographic key known only to said client and said authentication server using said predefined unique identifier of said client, decrypting said fourth cipher using said cryptographic key known only to said client and said authentication server to obtain said client cryptographic key, and encrypting said client cryptograph key using a predefined enterprise network cryptographic key to generate said second cipher.
  - 6. The method of claim 2, wherein said client performs the steps of:
    - generating said client cryptographic key, encrypting said client cryptographic key using said cryptographic key known only to said client and said authentication server to generate said fourth cipher, and decrypting said third cipher using client cryptographic key to obtain said at least one predefined enterprise network cryptographic key.
  - 7. The method of claim 6, wherein said client cryptographic key is a random number.
  - 8. The method of claim 1, wherein said edge device is an access point and said enterprise network is a 802.11x network.

9. A method of authenticating a client attempting to access an enterprise network via an edge device of said enterprise network, said method comprising the steps of:
- receiving information from an edge device of an enterprise network, said information comprising a predefined unique identifier of said edge device of said enterprise network and a first cipher, identifying a predefined enterprise network cryptographic key associated with said predefined unique identifier of said edge device of said enterprise network, decrypting said first cipher using said identified, predefined enterprise network cryptographic key to obtain a second cipher and a unique identifier of said client, determining whether a match exists between said unique identifier of said client and at least one of a number of stored client identifiers, and if a match does exist, identifying a cryptographic key known only to said client and said authentication server corresponding to said unique identifier of said client, decrypting said second cipher using said cryptographic key known only to said client and said authentication server to obtain a client cryptographic key, encrypting said client cryptographic key using a predefined enterprise network cryptographic key to generate a third cipher, and forwarding said third cipher to said edge device of said enterprise network.
- View Dependent Claims (10, 11)
- - 10. The method of claim 9, wherein said edge device of said enterprise network performs the steps of:
    - decrypting said third cipher with a predefined enterprise network cryptographic key to obtain said client cryptographic key, encrypting at least one predefined enterprise network cryptographic key with said client cryptographic key to generate a fourth cipher, and forwarding said fourth cipher to said client.
  - 11. The method of claim 9, wherein said predefined unique identifier of said client is a unique serial number corresponding to a token associated with said client.

12. A method of obtaining at least one enterprise network cryptographic key from an edge device of an enterprise network, the method comprising the steps of:
- generating a temporary cryptographic key, encrypting said temporary cryptographic key using a predefined enterprise network cryptographic key to generate a first cipher, encrypting said first cipher with a predefined client cryptographic key to generate a second cipher, forwarding said second cipher along with a unique identifier to an edge device of an enterprise network, receiving a response from said edge device of said enterprise network, decrypting said response using said temporary cryptographic key to obtain at least one enterprise network cryptographic key.
- View Dependent Claims (13)
- - 13. The method of claim 12, wherein said unique identifier is a unique serial number corresponding to a token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
KoolSpan, Inc.
Original Assignee
KoolSpan, Inc.
Inventors
Fascenda, Anthony C.

Granted Patent

US 7,827,409 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/165
CPC Class Codes

G06Q 20/02   involving a neutral party, ...

G06Q 20/3829   involving key management

G07F 7/1016   Devices or methods for secu...

H04L 2463/062   applying encryption of the ...

H04L 63/0478   applying multiple layers of...

H04L 63/062   for key distribution, e.g. ...

H04L 9/0822   using key encryption key

H04L 9/0877   using additional device, e....

H04L 9/3234   involving additional secure...

H04W 12/041   Key generation or derivation

Remote secure authorization

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

Remote secure authorization

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links