Methods and systems for entropy collection for server-side key generation

US 20080022122A1
Filed: 06/07/2006
Published: 01/24/2008
Est. Priority Date: 06/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method of generating credentials for a token, the method comprising:

detecting the token and the server determining that the token is to be enrolled;

generating a subject key pair within the server based on a plurality of sources of entropy, wherein the subject key pair includes a subject public key and the subject private key;

encrypting the subject private key with a key transport session key to arrive at a wrapped private key; and

forwarding the wrapped private key to the token.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Embodiments of the present invention provide a multiple source entropy feed for a PRNG that is used to generate server-side encryption keys. In particular, embodiments of the present invention provide a data recovery manager that collects additional entropy sources that feed into the PRNG between each key generation. The entropy may be collected from a variety of sources, for example, high-resolution timer intervals between input/output interrupts, hard disk access operations, and the like. The number of bits of entropy collected may be configured for each key generation.

164 Citations

27 Claims

1. A method of generating credentials for a token, the method comprising:
- detecting the token and the server determining that the token is to be enrolled;
  
  generating a subject key pair within the server based on a plurality of sources of entropy, wherein the subject key pair includes a subject public key and the subject private key;
  
  encrypting the subject private key with a key transport session key to arrive at a wrapped private key; and
  
  forwarding the wrapped private key to the token.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The method of claim 1, further comprising receiving an identification number associated with the token.
  - 3. The method of claim 2, further comprising:
    - deriving a key encryption key based on a server master key and the identification number;
      
      generating the key transport session key based on a plurality of sources of entropy; and
      
      encrypting the key transport session key with the key encryption key to arrive at a first wrapped key transport session key.
  - 4. The method of claim 3, further comprising of retrieving a server transport key from a data recovery manager.
  - 5. The method of claim 4, further comprising of encrypting the key transport session key with the server transport key to arrive at a second wrapped key transport session key.
  - 6. The method of claim 5, further comprising:
    - decrypting the second wrapped key transport session key with a complementary private key of the server transport key to arrive at the key transport session key; and
      
      encrypting the subject private key with the key transport session key as the wrapped private key.
  - 7. The method of claim 1, further comprising:
    - retrieving a storage key configured to be a private key type; and
      
      generating a storage session key.
  - 8. The method of claim 7, further comprising:
    - encrypting the subject private key with the storage session key to arrive at a wrapped storage private key; and
      
      encrypting the storage session key with the storage key to arrive at a wrapped storage key.
  - 9. The method of claim 8, further comprising of storing the wrapped storage private key and the wrapped storage key in a data recovery manager.
  - 10. The method of claim 9, further comprising:
    - transmitting a certificate enrollment request with information related to the subject public key to a certificate authority module; and
      
      forwarding any received certificates to the token.
  - 11. An apparatus comprising of means for performing the method of claim 1.
  - 12. A computer-readable medium comprising computer-executable instructions for performing the method of claim 1.

13. A system for generating credentials for a token, the system comprising:
- a token;
  
  a security client configured to manage the token; and
  
  a security server configured to interface with the security client, wherein the security server is configured to detect the token to be enrolled by the security server, generate a subject key pair within the security server based on a plurality of sources of entropy, wherein the subject key pair includes a subject public key and the subject private key;
  
  encrypt the subject private key with a key transport session key to arrive at a wrapped private key; and
  
  forward the wrapped private key to the token.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 14. The system of claim 13, wherein the security client further comprises:
    - a token processing gateway configured to manage the interface between the security client and the security client;
      
      a key service module configured to interface with the token processing gateway;
      
      a certificate authority module configured to interface with the token processing gateway and to generate certificates; and
      
      a data recovery manager (DRM) module configured to interface with the token processing gateway and configured to maintain a database of private keys, wherein the DRM module is configured to store the subject private key.
  - 15. The system of claim 14, wherein the key service module is further configured to generate the key transport session key and derive a key encryption key based on a master server key and identification number associated with the token.
  - 16. The system of claim 15, wherein the key service module is configured to encrypt the key transport session key with the key encryption key to arrive at a first wrapped key transport session key.
  - 17. The system of claim 16, wherein the key service module is further configured to retrieve a server transport key and encrypt the key transport session key with the server transport key to arrive at a second wrapped key transport session key.
  - 18. The system of claim 17, wherein the key service module is further configured to forward the first wrapped key transport session key and the second wrapped key transport session key to the token processing gateway.
  - 19. The system of claim 18, wherein the token processing gateway is further configured to forward the second wrapped key transport session key to the DRM module.
  - 20. The system of claim 19, wherein the DRM module is further configured to generate the subject key pair.
  - 21. The system of claim 19, wherein the DRM module is further configured to retrieve a storage key and generate a storage session key.
  - 22. The system of claim 21, wherein the DRM module is further configured to encrypt the subject private key with the storage session key to arrive at a wrapped storage private key and to encrypt the storage session key with the storage key to arrive at wrapped storage key.
  - 23. The system of claim 22, wherein the DRM module is configured to store the wrapped storage private key and wrapped storage key in a database maintained by the DRM module.
  - 24. The system of claim 20, wherein the DRM module is further configured to decrypt the second wrapped key transport key with a complementary private key of the server transport key and encrypt the subject private key with key transport session key to arrive at the wrapped private key.
  - 25. The system of claim 20, wherein the DRM module is further configured to forward the wrapped subject private key to the token processing gateway.
  - 26. The system of claim 14, wherein the token processing gateway is further configured to transmit a certificate enrollment request and information related to the subject public key to the certificate authority module.
  - 27. The system of claim 26, wherein the token processing gateway is further configured to forward any generated certificates to the token at the security client.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Lord, Robert B., Parkinson, Steven William

Granted Patent

US 8,589,695 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/185
CPC Class Codes

H04L 2209/603   Digital right managament [DRM]

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0853   using an additional device,...

H04L 9/0662   with particular pseudorando...

H04L 9/0822   using key encryption key

H04L 9/0869   involving random numbers or...

Methods and systems for entropy collection for server-side key generation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

164 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for entropy collection for server-side key generation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

164 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links