SYSTEM AND METHOD FOR KEY RECOVERY
First Claim
1. A method of providing access to a resource, comprising:
- receiving a first authenticator for a user;
encrypting using a first key, in response to receipt of the first authenticator, a user credential required for access to at least one resource;
destroying the first key;
receiving, subsequent to the destruction of the first key, a second authenticator used to authenticate the user;
receiving a request from the user to access the at least one resource;
regenerating the first key following validation of the identity of the user;
decrypting the encrypted user credential using the regenerated first key;
providing the decrypted user credential to the at least one resource;
encrypting the user credential using a second key created following the receipt of the second authenticator; and
destroying the second key.
8 Assignments
0 Petitions
Accused Products
Abstract
A secure mechanism for transparent key recovery for a user who has changed authentication information is disclosed. A password manager agent intercepts requests by a user to access secure resources that require user credentials. Upon detecting changed authentication information for the user, the password manager agent automatically regenerates the components of a cryptographic key associated with the user that was previously used to encrypt user credentials for the user and then destroyed. After regeneration of the original cryptographic key, the password manager agent uses the key to decrypt the user credentials necessary for the requested application. The regenerated key is then destroyed and the user credentials are re-encrypted by the password manager agent using a new cryptographic key associated with the user made up of multiple components. Following the re-encryption of the user credentials, the components used to assemble the new key are securely stored in multiple locations and the new key is destroyed.
-
Citations
33 Claims
-
1. A method of providing access to a resource, comprising:
-
receiving a first authenticator for a user;
encrypting using a first key, in response to receipt of the first authenticator, a user credential required for access to at least one resource;
destroying the first key;
receiving, subsequent to the destruction of the first key, a second authenticator used to authenticate the user;
receiving a request from the user to access the at least one resource;
regenerating the first key following validation of the identity of the user;
decrypting the encrypted user credential using the regenerated first key;
providing the decrypted user credential to the at least one resource;
encrypting the user credential using a second key created following the receipt of the second authenticator; and
destroying the second key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 13, 15)
-
-
12. The method of claim 111 wherein the key is created using a cryptographically strong random number generated from a second source.
-
14. The method of claim 111 wherein at least one of the plurality of cryptographically strong random numbers used to create the key is encrypted prior to being stored in a separate location from the rest of the plurality of cryptographically strong random numbers.
-
16. A system for providing secure access to a resource, comprising:
-
a password management agent, the password manager agent detecting a user request to access a secure resource from a user and determining the authenticator associated with the user has changed subsequent to the encryption of a user credential required to access the requested secure resource;
a first key used to encrypt the user credential required to access the requested secure resource, the first key generated from a plurality of cryptographically strong components, destroyed after encrypting the user credential, and regenerated following the detection by the password manager agent of the user request; and
a second key used to encrypt the user credential subsequent to the decryption of the user credential using the regenerated key, the second key generated from a plurality of cryptographically strong components and destroyed after encrypting the user credential. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. An article of manufacture having embodied thereon computer-readable program means for providing access to a secure resource, the article of manufacture comprising:
-
computer-readable program means for receiving a first authenticator for a user;
computer-readable program means for encrypting using a first key, in response to receipt of the first authenticator, a user credential required for access to at least one resource;
computer-readable program means for destroying the first key;
computer-readable program means for receiving, subsequent to the destruction of the first key, a second authenticator used to authenticate the user;
computer-readable program means for receiving a request from the user to access the at least one resource;
computer-readable program means for regenerating the first key following validation of the identity of the user;
computer-readable program means for decrypting the encrypted user credential using the regenerated first key;
computer-readable program means for providing the decrypted user credential to the at least one resource;
computer-readable program means for encrypting the user credential using a second key created following the receipt of the second authenticator; and
computer-readable program means for destroying the second key. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
-
-
33. A method of providing access to a secure resource over a network, comprising:
-
providing a user credential associated with a user, the user credential encrypted using a first key and associated with the user following a first authentication of the user to the network using a first authenticator, the first key destroyed following the encryption of the user credential;
receiving, subsequent to the first authentication, a request from the user to access a secure resource, the secure resource requiring the encrypted user credential;
determining that the request for the secure resource originated from the user following a second authentication of the user to the network using a second authenticator;
regenerating, automatically without additional user input, the first key, following validation of the identity of the user;
decrypting the encrypted user credential using the regenerated first key;
providing the decrypted user credential to the secure resource; and
encrypting the user credential using a second key created following the receipt of the second authenticator, the second key destroyed following the encryption.
-
Specification