Methods and systems for key recovery for a token

US 20070280483A1
Filed: 06/06/2006
Published: 12/06/2007
Est. Priority Date: 06/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method of recovering keys, comprising:

generating a key transport session key, and deriving a key encryption key based on a server master key and an identification associated with a token;

first encrypting the key transport session key with the key encryption key as a first wrapped key transport session key;

retrieving an encrypted storage session key and an encrypted private key from an archive;

first decrypting the encrypted storage session key with a server storage key as a storage session key;

second decrypting the encrypted private key with the storage session key;

second encrypting the decrypted private key with the key transport session key as a wrapped private key; and

forwarding the wrapped private key and the first wrapped key transport session key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and computer readable mediums are provided for recovering keys. A key transport session key is generated, and a key encryption key is derived based on a server master key and an identification associated with a token. The key transport session key is encrypted with the key encryption key as a first wrapped key transport session key. An encrypted storage session key and an encrypted private key are retrieved from an archive. The encrypted storage session key is decrypted with a server storage key as a storage session key. The encrypted private key is decrypted with the storage session key. The decrypted private key is encrypted with the key transport session key as a wrapped private key. The wrapped private key and the first wrapped key transport session key are forwarded.

101 Citations

View as Search Results

21 Claims

1. A method of recovering keys, comprising:
- generating a key transport session key, and deriving a key encryption key based on a server master key and an identification associated with a token;
  
  first encrypting the key transport session key with the key encryption key as a first wrapped key transport session key;
  
  retrieving an encrypted storage session key and an encrypted private key from an archive;
  
  first decrypting the encrypted storage session key with a server storage key as a storage session key;
  
  second decrypting the encrypted private key with the storage session key;
  
  second encrypting the decrypted private key with the key transport session key as a wrapped private key; and
  
  forwarding the wrapped private key and the first wrapped key transport session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - retrieving a server transport key and encrypting the key transport session key with the server transport key as a second wrapped key transport session key;
      
      forwarding the second wrapped key transport session key and the first wrapped key transport session key, and decrypting the second wrapped key transport session key.
  - 3. The method of claim 1, wherein the server master key is stored separately from the token.
  - 4. The method of claim 1, wherein the wrapped private key and the wrapped session key are forwarded to the token.
  - 5. The method of claim 1, further comprising:
    - retrieving at least one certificate associated with the token; and
      
      forwarding the at least one certificate.
  - 6. The method of claim 1, further comprising receiving a recovery request, wherein the generating and deriving are in response to the recovery request.
  - 7. The method of claim 1, further comprising, after the forwarding:
    - sending a challenge to the token;
      
      receiving a response to the challenge; and
      
      checking the accuracy of the response.
  - 8. The method of claim 1, further comprising, after the forwarding:
    - receiving a challenge; and
      
      sending a response to the challenge.
  - 9. An apparatus comprising means for performing the method of claim 1.
  - 10. A computer-readable medium comprising computer executable instructions for implementing the method of claim 1.

11. A system for recovering keys, comprising:
- a security client configured to manage a token when connected to the token; and
  
  a security server configured to interface with the security client, the security server being configured to generate a key transport session key and derive a key encryption key based on a server master key and an identification associated with the token, encrypt the key transport session key with the key encryption key as a first wrapped key transport session key, retrieve a storage session key and an encrypted private key from an archive, decrypt the encrypted private key with the storage session key, encrypt the private key with the key transport session key as a wrapped private key, and forward the wrapped private key and the wrapped session key to the security client.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, wherein the security server is further configured to:
    - connect to the token in accordance with the security client; and
      
      write the private key to the token.
  - 13. The system of claim 12, wherein the security client is further configured to participate in a challenge to the token, to confirm that the private key was written to the token.
  - 14. The system of claim 11, wherein the storage session key is encrypted, further comprising decrypting the storage session key with a server storage key.
  - 15. The system of claim 11, wherein the security client further comprises:
    - a token processing gateway configured to manage the interface between the security client and the security server;
      
      a key service module configured to interface with the token processing gateway;
      
      a certificate authority module configured to interface with the token processing gateway and to retrieve certificates; and
      
      an archive module configured to interface with the token processing gateway and configured to maintain a database of private keys, wherein the archive module is configured to store the private key.
  - 16. The system of claim 15, wherein the key service module is further configured to generate the key transport session key, to derive the key encryption key, and to encrypt the key transport session key with the key encryption key as the first wrapped key transport session key.
  - 17. The system of claim 15, wherein the archive module is further configured to retrieve the storage session key and the encrypted private key from the archive, decrypt the encrypted private key with the storage session key, encrypt the decrypted private key with the key transport session key, and forward the wrapped private key to the token processing gateway.
  - 18. The system of claim 15, wherein the token processing gateway is further configured to forward the wrapped private key and the first wrapped key transport session key to the token, to retrieve at least one certificate for the token, and to forward the at least one certificate to the token.

19. A computer-readable medium, comprising instructions executable on a token, the instructions including a computer-implemented method for recovering a security key onto the token, the instructions for implementing:
- receiving a private key to be associated with a token;
  
  enrolling the received private key onto the token, if the private key has not previously been enrolled; and
  
  recovering the private key onto the token, if the private key was previously enrolled,wherein both the enrolling and the recovering are the same instructions.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, further comprising instructions for participating in a challenge prior to at least one of the enrolling and the recovering, to confirm that the private key was written to the token.
  - 21. The method of claim 20, wherein the private key is signed, further comprising instructions for verifying the signed private key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Fu, Christina, Kwan, Nang Kon, Parkinson, Steven William, Relyea, Robert

Granted Patent

US 7,822,209 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/286
CPC Class Codes

H04L 9/0822 using key encryption key

H04L 9/0897 involving additional device...

Methods and systems for key recovery for a token

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

101 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for key recovery for a token

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

101 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links