Session key distribution methods using a hierarchy of key servers

US 20050125684A1
Filed: 02/28/2003
Published: 06/09/2005
Est. Priority Date: 03/18/2002
Status: Active Grant

First Claim

Patent Images

1. A method of facilitating secure communication between first and second devices, the method comprising:

automatically identifying a common key server potentially accessible by both the first and second devices; and

obtaining a secure private key from the common key server, for use in encrypting communications between the first and second devices.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparatuses, media and signals for facilitating secure communication between a first device and a second device are disclosed. One method includes automatically identifying a common key server potentially accessible by both the first and second devices, and obtaining a secure private key from the common key server, for use in encrypting communications between the first and second devices. Identifying may include identifying as the common key server, a key server at an intersection of a first communication path defined between a first key server having a previously established relationship with the first device and a master key server, and a second communication path defined between a second key server having a previously established relationship with the second device and the master key server. Obtaining may include obtaining a plurality of private keys and blending the keys to produce a final private session key.

157 Citations

109 Claims

1. A method of facilitating secure communication between first and second devices, the method comprising:
- automatically identifying a common key server potentially accessible by both the first and second devices; and
  
  obtaining a secure private key from the common key server, for use in encrypting communications between the first and second devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 46, 47, 48)
- - 2. The method of claim 1 wherein identifying comprises transmitting identifications of key servers from one of the first and second devices to the other of the first and second devices.
  - 3. The method of claim 2 wherein identifying further comprises producing a first list of key servers potentially accessible by the first device.
  - 4. The method of claim 3 wherein producing comprises including in the first list, identifications of key servers associated with first device keys stored in a storage medium of the first device.
  - 5. The method of claim 4 wherein producing further comprises including in the first list, identifications of intermediate key servers interposed along secure communications paths between each of the key servers associated with the first device keys and a master key server.
  - 6. The method of claim 3 wherein transmitting comprises transmitting the first list from the first device to the second device.
  - 7. The method of claim 6 wherein identifying further comprises receiving at the first device, from the second device, an identification of the common key server.
  - 8. The method of claim 2 wherein identifying further comprises receiving at 4 the second device, a first list of key servers potentially accessible by the first device.
  - 9. The method of claim 8 wherein identifying further comprises producing a second list of key servers potentially accessible by the second device.
  - 10. The method of claim 9 wherein producing comprises including in the second list, identifications of key servers associated with second device keys stored in a storage medium of the second device.
  - 11. The method of claim 10 wherein producing further comprises including in the second list, identifications of intermediate key servers interposed along secure communications paths between each of the key servers associated with the second device keys and a master key server.
  - 12. The method of claim 9 wherein identifying further comprises comparing the first and second lists, and identifying, as the common key server, a key server identified in both lists.
  - 13. The method of claim 12 wherein identifying comprises identifying as the common key server, from among a group of key servers each of which is identified in both the first and second lists, the key server having the shortest communications paths to the first and second devices.
  - 14. The method of claim 1 wherein identifying comprises identifying as the common key server, a key server at an intersection of a first communication path defined between a first key server having a previously established relationship with the first device and a master key server, and a second communication path defined between a second key server having a previously established relationship with the second device and the master key server.
  - 15. The method of claim 12 wherein transmitting comprises transmitting, from the second device to the first device, an identification of the common key server.
  - 16. The method of claim 15 wherein transmitting further comprises transmitting, from the second device to the first device, identifications of any intermediate key servers interposed between the first device and the common key server.
  - 17. The method of claim 1 wherein identifying further comprises identifying intermediate key servers interposed along a communications path between one of the first and second devices and the common key server.
  - 18. The method of claim 17 wherein obtaining comprises obtaining the private key from one of the intermediate key servers that has received the private key from the common key server.
  - 19. The method of claim 1 wherein obtaining comprises receiving the private key from the common key server via a secure communications channel.
  - 20. The method of claim 19 wherein receiving comprises receiving the private key from an intermediate key server that has received the private key from the common key server.
  - 21. The method of claim 19 wherein obtaining further comprises transmitting a request message to the common key server to request the common key server to transmit the private key.
  - 22. The method of claim 21 wherein transmitting comprises transmitting the request message to an intermediate key server, for relay to the common key server.
  - 23. The method of claim 19 further comprising validating the private key.
  - 24. The method of claim 23 wherein validating comprises receiving a first hash value produced by the common key server in response to the private key, generating a second hash value in response to the received private key, and comparing the first and second hash values.
  - 25. The method of claim 1 wherein obtaining comprises obtaining first and second private keys from at least one of the common key server and a second common key server potentially accessible by both the first and second devices.
  - 26. The method of claim 25 wherein obtaining first and second private keys comprises obtaining a private user key from a common user key server and a private device key from a common device key server.
  - 27. The method of claim 25 further comprising obtaining an initial session key.
  - 28. The method of claim 27 wherein obtaining the initial session key comprises receiving the initial session key at the first device.
  - 29. The method of claim 27 wherein obtaining the initial session key comprises generating the initial session key at the second device and transmitting the initial session key to the first device.
  - 30. The method of claim 1 further comprising encrypting communications between the first and second devices, in response to the private key.
  - 31. The method of claim 25 further comprising encrypting communications between the first and second devices, in response to the first and second private keys.
  - 32. The method of claim 27 further comprising encrypting communications between the first and second devices, in response to the first and second private keys and the initial session key.
  - 33. The method of claim 32 wherein encrypting comprises blending the first and second private keys and the initial session key to produce a modified key.
  - 34. The method of claim 33 wherein blending comprises encrypting at least one of the first and second private keys and the initial session key using at least one other of the first and second private keys and the initial session key.
  - 35. The method of claim 33 wherein blending comprises encrypting the first private key using the second private key to produce a once-encrypted key.
  - 36. The method of claim 35 wherein blending further comprises encrypting the once-encrypted key using the initial session key to produce a twice-encrypted key.
  - 37. The method of claim 36 wherein blending further comprises generating a hash value in response to the twice-encrypted key, and appending the hash value to the twice-encrypted key.
  - 38. The method of claim 37 wherein blending further comprises deleting a portion of the twice-encrypted key other than the hash value appended thereto, the deleted portion having a length equal to the hash value appended thereto.
  - 39. The method of claim 38 wherein blending further comprises repeating the steps of generating and appending a hash value to the twice-encrypted key and deleting a portion of the twice-encrypted key until the twice-encrypted key has been entirely replaced with appended hash values.
  - 40. The method of claim 30 wherein encrypting comprises encrypting communications between the first and second devices using a blended key produced in response to the private key.
  - 41. The method of claim 40 wherein encrypting comprises initiating a cipher communications session with the blended key.
  - 42. The method of claim 41 wherein initiating comprises executing a modified ARC4 streaming cipher communications session.
  - 43. The method of claim 42 wherein executing comprises repeating a shuffling loop of the ARC4 streaming cipher communications session, a prime number of times greater than two.
  - 46. A computer-readable medium storing code segments for directing a processor circuit to carry out the method of claim 1.
  - 47. A signal embodied in a communications medium, the signal comprising code segments for directing a processor circuit to carry out the method of claim 1.
  - 48. A signal embodied in a carrier wave, the signal comprising code segments for directing a processor circuit to carry out the method of claim 1.

44. (canceled).

45. (canceled).

49. An apparatus for facilitating secure communication between first and second devices, the apparatus comprising:
- a processor circuit capable of communication with a network, the processor circuit configured to identify a common key server potentially accessible by both the first and second devices;
  
  wherein the processor circuit is configured to obtain a secure private key from the common key server, for use in encrypting communications between the first and second devices.
- View Dependent Claims (50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, 90, 91)
- - 50. The apparatus of claim 49 wherein the processor circuit is configured to transmit identifications of key servers from one of the first and second devices to the other of the first and second devices.
  - 51. The apparatus of claim 50 wherein the processor circuit is configured to produce a first list of key servers potentially accessible by the first device.
  - 52. The apparatus of claim 51 wherein the processor circuit is configured to include in the first list, identifications of key servers associated with first device keys stored in a storage medium of the first device.
  - 53. The apparatus of claim 52 wherein the processor circuit is configured to include in the first list, identifications of intermediate key servers interposed along secure communications paths between each of the key servers associated with the first device keys and a master key server.
  - 54. The apparatus of claim 51 wherein the processor circuit is configured to transmit the first list from the first device to the second device.
  - 55. The apparatus of claim 54 wherein the processor circuit is configured to receive at the first device, from the second device, an identification of the common key server.
  - 56. The apparatus of claim 50 wherein the processor circuit is configured to receive at the second device, a first list of key servers potentially accessible by the first device.
  - 57. The apparatus of claim 56 wherein the processor circuit is configured to produce a second list of key servers potentially accessible by the second device.
  - 58. The apparatus of claim 57 wherein the processor circuit is configured to include in the second list, identifications of key servers associated with second device keys stored in a storage medium of the second device.
  - 59. The apparatus of claim 58 wherein the processor circuit is configured to include in the second list, identifications of intermediate key servers interposed along secure communications paths between each of the key servers associated with the second device keys and a master key server.
  - 60. The apparatus of claim 57 wherein the processor circuit is configured to compare the first and second lists, and identify, as the common key server, a key server identified in both lists.
  - 61. The apparatus of claim 60 wherein the processor circuit is configured to identify as the common key server, from among a group of key servers each of which is identified in both the first and second lists, the key server having the shortest communications paths to the first and second devices.
  - 62. The apparatus of claim 49 wherein the processor circuit is configured to identify as the common key server, a key server at an intersection of a first communication path defined between a first key server having a previously established relationship with the first device and a master key server, and a second communication path defined between a second key server having a previously established relationship with the second device and the master key server.
  - 63. The apparatus of claim 60 wherein the processor circuit is configured to transmit, from the second device to the first device, an identification of the common key server.
  - 64. The apparatus of claim 63 wherein the processor circuit is configured to transmit, from the second device to the first device, identifications of any intermediate key servers interposed between the first device and the common key server.
  - 65. The apparatus of claim 49 wherein the processor circuit is configured to identify intermediate key servers interposed along a communications path between one of the first and second devices and the common key server.
  - 66. The apparatus of claim 65 wherein the processor circuit is configured to obtain the private key from one of the intermediate key servers that has received the private key from the common key server.
  - 67. The apparatus of claim 49 wherein the processor circuit is configured to receive the private key from the common key server via a secure communications channel.
  - 68. The apparatus of claim 67 wherein the processor circuit is configured to receive the private key from an intermediate key server that has received the private key from the common key server.
  - 69. The apparatus of claim 67 wherein the processor circuit is configured to transmit a request message to the common key server to request the common key server to transmit the private key.
  - 70. The apparatus of claim 69 wherein the processor circuit is configured to transmit the request message to an intermediate key server, for relay to the common key server.
  - 71. The apparatus of claim 67 the processor circuit is configured to validate the private key.
  - 72. The apparatus of claim 71 wherein the processor circuit is configured to validate the private key by receiving a first hash value produced by the common key server in response to the private key, generating a second hash value in response to the received private key, and comparing the first and second hash values.
  - 73. The apparatus of claim 49 wherein the processor circuit is configured to obtain first and second private keys from at least one of the common key server and a second common key server potentially accessible by both the first and second devices.
  - 74. The apparatus of claim 73 wherein the processor circuit is configured to obtain, as the first and second private keys, a private user key from a common user key server and a private device key from a common device key server.
  - 75. The apparatus of claim 73 wherein the processor circuit is configured to obtain an initial session key.
  - 76. The apparatus of claim 75 wherein the processor circuit is configured to receive the initial session key at the first device.
  - 77. The apparatus of claim 75 wherein the processor circuit is configured to generate the initial session key at the second device and transmit the initial session key to the first device.
  - 78. The apparatus of claim 49 wherein the processor circuit is configured to encrypt communications between the first and second devices, in response to the private key.
  - 79. The apparatus of claim 73 wherein the processor circuit is configured to encrypt communications between the first and second devices, in response to the first and second private keys.
  - 80. The apparatus of claim 75 wherein the processor circuit is configured to encrypt communications between the first and second devices, in response to the first and second private keys and the initial session key.
  - 81. The apparatus of claim 80 wherein the processor circuit is configured to blend the first and second private keys and the initial session key to produce a modified key.
  - 82. The apparatus of claim 81 wherein the processor circuit is configured to encrypt at least one of the first and second private keys and the initial session key using at least one other of the first and second private keys and the initial session key.
  - 83. The apparatus of claim 81 wherein the processor circuit is configured to encrypt the first private key using the second private key to produce a once-encrypted key.
  - 84. The apparatus of claim 83 wherein the processor circuit is configured to encrypt the once-encrypted key using the initial session key to produce a twice-encrypted key.
  - 85. The apparatus of claim 84 wherein the processor circuit is configured to generate a hash value in response to the twice-encrypted key, and append the hash value to the twice-encrypted key.
  - 86. The apparatus of claim 85 wherein the processor circuit is configured to delete a portion of the twice-encrypted key other than the hash value appended thereto, the deleted portion having a length equal to the hash value appended thereto.
  - 87. The apparatus of claim 86 wherein the processor circuit is configured to repeat the steps of generating and appending a hash value to the twice-encrypted key and deleting a portion of the twice-encrypted key until the twice-encrypted key has been entirely replaced with appended hash values.
  - 88. The apparatus of claim 78 wherein the processor circuit is configured to encrypt communications between the first and second devices using a blended key produced in response to the private key.
  - 89. The apparatus of claim 88 wherein the processor circuit is configured to initiate a cipher communications session with the blended key.
  - 90. The apparatus of claim 89 wherein the processor circuit is configured to execute a modified ARC4 streaming cipher communications session.
  - 91. The apparatus of claim 90 wherein the processor circuit is configured to repeat a shuffling loop of the ARC4 streaming cipher communications session, a prime number of times greater than two.

92. An apparatus for facilitating secure communication between first and second devices, the apparatus comprising:
- means for identifying a common key server potentially accessible by both the first and second devices; and
  
  means for obtaining a secure private key from the common key server, for use in encrypting communications between the first and second devices.

93. A method of facilitating secure communications between first and second devices, the method comprising:
- receiving, at an intermediate key server, a request message from one of the first and second devices requesting a private key; and
  
  relaying the request message to a common key server potentially accessible by both the first and second devices.
- View Dependent Claims (94, 97, 98, 99)
- - 94. The method of claim 93 further comprising receiving the private key from the common key server and relaying the private key for receipt by the one of the first and second devices.
  - 97. A computer-readable medium storing code segments for directing a processor circuit to carry out the method of claim 93.
  - 98. A signal embodied in a communications medium, the signal comprising code segments for directing a processor circuit to carry out the method of claim 93.
  - 99. A signal embodied in a carrier wave, the signal comprising code segments for directing a processor circuit to carry out the method of claim 93.

95. (canceled).

96. (canceled).

100. An apparatus for facilitating secure communications between first and second devices, the apparatus comprising:
- an intermediate key server comprising a processor circuit configured to receive a request message from one of the first and second devices requesting a private key;
  
  wherein the processor circuit is configured to relay the request message to a common key server potentially accessible by both the first and second devices.

101. An apparatus for facilitating secure communications between first and second devices, the apparatus comprising:
- an intermediate key server comprising;
  
  means for receiving a request message from one of the first and second devices requesting a private key; and
  
  means for relaying the request message to a common key server potentially accessible by both the first and second devices.

102. A method of facilitating secure communications between first and second devices, the method comprising:
- receiving, at a common key server potentially accessible by both the first and second devices, request messages from first and second intermediate servers interposed between the common key server and the first and second devices respectively, requesting a private key; and
  
  generating and transmitting the private key to the first and second intermediate servers in response to the request messages, for relay to the first and second devices.
- View Dependent Claims (105, 106, 107)
- - 105. A computer-readable medium storing code segments for directing a processor circuit to carry out the method of claim 102.
  - 106. A signal embodied in a communications medium, the signal comprising code segments for directing a processor circuit to carry out the method of claim 102.
  - 107. A signal embodied in a carrier wave, the signal comprising code segments for directing a processor circuit to carry out the method of claim 102.

103. (canceled).

104. (canceled).

108. An apparatus for facilitating secure communications between first and second devices, the apparatus comprising:
- a common key server potentially accessible by both the first and second devices, the common key server comprising a processor circuit configured to receive request messages from first and second intermediate servers interposed between the common key server and the first and second devices respectively, requesting a private key;
  
  wherein the processor circuit is configured to generate and transmit the private key to the first and second intermediate servers in response to the request messages, for relay to the first and second devices.

109. An apparatus for facilitating secure communications between first and second devices, the apparatus comprising:
- a common key server potentially accessible by both the first and second devices, the common key server comprising;
  
  means for receiving request messages from first and second intermediate servers interposed between the common key server and the first and second devices respectively, requesting a private key; and
  
  means for generating and transmitting the private key to the first and second intermediate servers in response to the request messages, for relay to the first and second devices.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Colin Martin Schmidt
Original Assignee
Colin Martin Schmidt
Inventors
Schmidt, Colin Martin

Granted Patent

US 7,477,748 B2
Time in Patent Office

Days
Field of Search
US Class Current

726/27
CPC Class Codes

H04L 2209/60   Digital content management,...

H04L 63/0442   wherein the sending and rec...

H04L 63/064   Hierarchical key distributi...

H04L 9/0836   using tree structure or hie...

H04L 9/30   Public key, i.e. encryption...

Session key distribution methods using a hierarchy of key servers

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

157 Citations

109 Claims

Specification

Solutions

Use Cases

Quick Links

Session key distribution methods using a hierarchy of key servers

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

157 Citations

109 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links