Method and apparatus for managing cryptographic keys
First Claim
1. A method for managing keys, comprising:
- authenticating a client at a key manager;
receiving a token from the client at the key manager, wherein the token is associated with a customer key, and wherein the token includes a token authenticator that comprises one-half of an authenticator pair used to determine if the client is the owner of the customer key;
decrypting the token using a master key;
verifying a client authenticator, wherein the client authenticator comprises the other half of the authenticator pair used to determine if the client is the owner of the customer key; and
if the client is the owner of the customer key, sending the customer key to the client so that the client can use the customer key to encrypt/decrypt data at the client, and can then delete the customer key.
1 Assignment
0 Petitions
Accused Products
Abstract
One embodiment of the present invention provides a system for managing keys. During operation, the system authenticates a client at a key manager. Next, the system receives a token from the client at the key manager, wherein the token is associated with a customer key, and includes a token authenticator. This token authenticator comprises one-half of an authenticator pair which is used to determine if the client is the owner of the customer key. Next, the system decrypts the token using a master key. The system then verifies a client authenticator, which comprises the other half of the authenticator pair which is used to determine if the client is the owner of the customer key. If the client is the owner of the customer key, the system sends the customer key to the client, which enables the client to encrypt/decrypt data. Finally, the client deletes the customer key.
100 Citations
25 Claims
-
1. A method for managing keys, comprising:
-
authenticating a client at a key manager;
receiving a token from the client at the key manager, wherein the token is associated with a customer key, and wherein the token includes a token authenticator that comprises one-half of an authenticator pair used to determine if the client is the owner of the customer key;
decrypting the token using a master key;
verifying a client authenticator, wherein the client authenticator comprises the other half of the authenticator pair used to determine if the client is the owner of the customer key; and
if the client is the owner of the customer key, sending the customer key to the client so that the client can use the customer key to encrypt/decrypt data at the client, and can then delete the customer key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A computer-readable storage medium storing instructions that when executed by a computer cause the computer to perform a method for managing keys, the method comprising:
-
authenticating a client at a key manager;
receiving a token from the client at the key manager, wherein the token is associated with a customer key, and wherein the token includes a token authenticator that comprises one-half of an authenticator pair used to determine if the client is the owner of the customer key;
decrypting the token using a master key;
verifying a client authenticator, wherein the client authenticator comprises the other half of the authenticator pair used to determine if the client is the owner of the customer key; and
if the client is the owner of the customer key;
sending the customer key to the client, using the customer key to encrypt/decrypt data at the client, and deleting the customer key at the client. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. An apparatus for managing keys, comprising:
-
a key manager;
a client;
a token;
an authentication mechanism configured to authenticate the client;
a receiving mechanism configured to receive a token from the client at the key manager, wherein the token is associated with the customer key, and wherein the token includes a token authenticator that comprises one-half of an authenticator pair used to determine if the client is the owner of the customer key;
a decrypting mechanism configured to decrypt the token using the master key;
a verifying mechanism configured to verify a client authenticator, wherein the client authenticator comprises the other half of the authenticator pair used to determine if the client is the owner of the customer key; and
a sending mechanism configured to send the customer key to the client if the client is the owner of the customer key.
-
Specification