System, Method and Apparatus for Cryptography Key Management for Mobile Devices

US 20080209221A1
Filed: 08/05/2005
Published: 08/28/2008
Est. Priority Date: 08/05/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising binding encryption and decryption keys using a unique user identifier(UID), a unique device identifier(UDID), and a user password(Pswd) to a client mobile device in an enterprise cryptography key management system.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A technique that binds encryption and decryption keys using a UID, a UDID, and a Pswd to a client mobile device in an enterprise. In one example embodiment, this is achieved by creating a new user account using the UID and the DPswd in an inactive state and communicating the UID and the DPswd to an intended user using a secure communication medium by an administrator. The intended user then logs into a cryptography key management system using the UID and the DPswd via a client mobile device. The UDID associated with the client mobile device is then hashed to create a H(UDID). The H(UDID) is then sent to the cryptography key management system by a local key management application module. The H(UDID) is then authenticated by the cryptography key management system. An encryption/decryption key is then assigned for the client mobile device.

128 Citations

View as Search Results

19 Claims

1. A method comprising binding encryption and decryption keys using a unique user identifier(UID), a unique device identifier(UDID), and a user password(Pswd) to a client mobile device in an enterprise cryptography key management system.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, wherein binding the encryption and decryption keys using the UID, the UDID, and the Pswd comprises:
    - creating a new user account using the UID and a default password (DPswd) in an inactive state in the cryptography key management system by the administrator;
      
      communicating the UID and the DPswd to the intended user using a secure communication medium by the administrator;
      
      logging into the cryptography key management system using the UID and the DPswd via the client mobile device by the intended user upon authenticating the DPswd by the cryptography key management system;
      
      changing the DPswd to a new password (NewPswd) by the intended user;
      
      sending the NewPswd that is encrypted by a cryptography key derived from the DPswd to the cryptography key management system;
      
      replacing the DPswd with the NewPswd if the NewPswd satisfies enterprise password security requirements;
      
      requesting the UDID from the client mobile device by the cryptography key management system;
      
      sending the hashed unique device identifier(H(UDID)) encrypted by the password ({H(UDID)}Pswd) to the cryptography key management system by a key management application module and associating the UDID with the user account; and
      
      registering the cryptography/data recovery key for the associated client mobile device with the enterprise using the cryptography/data recovery key, the UID, the UDID, and the unique key identifier(KeyID).
  - 3. The method of claim 2, wherein cryptography key is selected from the group consisting of symmetric cryptography key and asymmetric cryptography key.
  - 4. The method of claim 2, wherein sending the H(UDID) obtained using the UDID associated with the client mobile device to the cryptography key management system by a key management application module and associating the UDID with the user account comprises:
    - hashing the UDID of the client mobile device to create an H(UDID);
      
      sending the password encrypted H(UDID) of the client mobile device along with the UID to the cryptography key management system by the key management application module;
      
      decrypting the encrypted H(UDID) by the cryptography key management system using the password;
      
      if decryption fails, then terminating communication with the client mobile device; and
      
      if the decryption is successful, then recomputing a hash of the decrypted UDID and validating integrity of the decrypted UDID by comparing with the H(UDID) sent by the key management application module and on successful validation associating the UDID with the user account in the secure key database.
  - 5. The method of claim 4, wherein sending the H(UDID) of the client mobile device along with the password encrypted UID to the cryptography key management system by the key management application module comprises:
    - obtaining the UDID from the client mobile device;
      
      forming the hash of the UDID by using a hash algorithm;
      
      sending the H(UDID) along with the password encrypted UID to the cryptography key management system over a secure communication channel;
      
      authenticating the H(UDID) sent by the key management application module;
      
      if authentication fails, then terminating communication with the client mobile device; and
      
      if the authentication is successful, then allowing a desired operation requested by the intended user.
  - 6. The method of claim 2, wherein registering the cryptography/data recovery key for the associated client mobile device with the enterprise using the cryptography/data recovery key, the UID, the UDID, and the KeyID comprises:
    - requesting the UID, the data recovery key, and the Pswd upon connecting a client mobile device by the key management application module from an intended user;
      
      determining a UDID associated with the client mobile device by the key management application module;
      
      hashing the UDID by the key management application module;
      
      encrypting the H(UDID) along with the data recovery key using a symmetric cryptography key derived from the Pswd;
      
      sending the encrypted H(UDID) along with the UID and the cryptography/data recovery key to the cryptography key management system by the key management application module;
      
      passing the UID and requesting the stored Pswd;
      
      returning the Pswd associated with the UID upon validating the passed UID by the cryptography key management system;
      
      decrypting the H(UDID) and the cryptography/data recovery key using the returned Pswd;
      
      if decryption is unsuccessful, then stopping the registering of the data recovery key;
      
      if decryption is successful, then establishing a mutual authentication;
      
      generating a KeyID and passing the H(UDID), the data recovery key, and the KeyID;
      
      storing the data recovery key, the KeyID associated with the UDID by the cryptography key management system upon validating the H(UDID);
      
      encrypting the KeyID using a symmetric cryptography key derived from the Pswd to obtain a password-encrypted KeyID and sending the password-encrypted KeyID to the key management application module by the cryptography key management system; and
      
      decrypting the password-encrypted KeyID using a symmetric cryptography key derived from the password to obtain the KeyID and storing the obtained KeyID.
  - 7. The method of claim 6, wherein decrypting the H(UDID) and the cryptography/data recovery key using the returned Pswd upon successful validation of the UID by the key management system comprises:
    - determining whether the encrypted H(UDID) and the cryptography/data recovery key can be decrypted using a symmetric cryptography key derived from the returned Pswd; and
      
      if so, decrypting H(UDID) and the cryptography/data recovery key using a symmetric cryptography key derived from the returned Pswd.

8. A method comprising changing a Pswd in a cryptography key management system via a client mobile device using a UID, a UDID, a unique key identifier, a current Pswd, and a NewPswd.
- View Dependent Claims (9)
- - 9. The method of claim 8 wherein changing the Pswd in the enterprise via the client mobile device using the UID, the UDID, the current Pswd, and the NewPswd comprises:
    - requesting the UID, the current Pswd and the NewPswd from an intended user via the client mobile device;
      
      determining the UDID associated with the client mobile device;
      
      hashing the UDID;
      
      encrypting the H(UDID) and the NewPswd using a symmetric cryptography key derived from the current Pswd to obtain a password-encrypted H(UDID) and a encrypted NewPswd;
      
      sending the password-encrypted H(UDID) and the encrypted NewPswd to a cryptography key management system and requesting a change in the current Pswd;
      
      connecting the key management application module to a secure key database via a valid user role by the cryptography key management system upon a successful validation of the UDID and returning the Pswd for an associated UID to the cryptography key management system by the secure key database;
      
      decrypting the password-encrypted H(UDID) and the encrypted NewPswd using a symmetric cryptography key derived from the Pswd to obtain the H(UDID) and the NewPswd by the cryptography key management system;
      
      determining whether the decryption of the password-encrypted H(UDID) and the encrypted NewPswd was successful; and
      
      establishing a client authentication by the cryptography key management system and storing the NewPswd associated with the UDID and UID in the secure key database upon a successful decryption.

10. An article comprising:
- a storage medium having instructions that, when executed by a computing platform, result in execution of a method comprising;
  
  binding encryption and decryption keys using a UID, a UDID, and a Pswd to a client mobile device in an enterprise cryptography key management system.
- View Dependent Claims (11, 12, 13, 14, 15, 16)
- - 11. The article of claim 10, wherein binding the encryption and decryption keys using the UID, the UDID, and the Pswd comprises:
    - creating a new user account using the UID and a DPswd in an inactive state in the cryptography key management system by the administrator;
      
      communicating the UID and the DPswd to the intended user using a secure communication medium by the administrator;
      
      logging into the cryptography key management system using the UID and the DPswd via the client mobile device by the intended user upon authenticating the default password by the cryptography key management system;
      
      changing the DPswd to a NewPswd by the intended user;
      
      sending the NewPswd, encrypted by a cryptography key derived from the DPswd to the cryptography key management system;
      
      replacing the DPswd with the NewPswd if the NewPswd satisfies enterprise password security requirements;
      
      requesting the UDID from the client mobile device by the cryptography key management system;
      
      sending the password encrypted hash of the UDID along with the UID to the cryptography key management system by a key management application module and associating the UDID with the user account; and
      
      registering the cryptography/data recovery key for the associated client mobile device with the enterprise using the cryptography/data recovery key, the UID, the UDID, and the KeyID.
  - 12. The article of claim 11, wherein cryptography key is selected from the group consisting of symmetric cryptography key and asymmetric cryptography key.
  - 13. The article of claim 11, wherein sending the H(UDID) obtained using the UDID associated with the client mobile device to the cryptography key management system by a key management application module and associating the UDID with the user account comprises:
    - hashing the UDID of the client mobile device to create a H(UDID);
      
      sending the password encrypted H(UDID) of the client mobile device along with the UID to the cryptography key management system by the key management application module;
      
      decrypting the encrypted H(UDID) by the cryptography key management system using the password;
      
      if decryption fails, then terminating communication with the client mobile device; and
      
      if the decryption is successful, then re-computing a hash of the decrypted UDID and validating the integrity of the decrypted UDID by comparing with the H(UDID) sent by the key management application module and on successful validation associating the UDID with the user account in the secure key database.
  - 14. The article of claim 13, wherein sending the H(UDID) of the client mobile device along with the password encrypted UID to the cryptography key management system by the key management application module comprises:
    - obtaining the UDID from the client mobile device;
      
      forming the H(UDID) from the UDID by using a hash algorithm;
      
      sending the H(UDID) along with the password encrypted UID to the cryptography key management system over a secure communication channel;
      
      authenticating the H(UDID) sent by the key management application module;
      
      if authentication fails, then terminating communication with the client mobile device; and
      
      if the authentication is successful, then allowing a desired operation requested by the intended user.
  - 15. The article of claim 11, wherein registering the cryptography/data recovery key for the associated client mobile device with the enterprise using the cryptography/data recovery key, the UID, the UDID, and the KeyID comprises:
    - requesting the UID, the data recovery key, and the Pswd upon connecting a client mobile device by the key management application module from an intended user;
      
      determining a UDID associated with the client mobile device by the key management application module;
      
      hashing the UDID by the key management application module;
      
      encrypting the H(UDID) along with the data recovery key using a symmetric cryptography key derived from the Pswd;
      
      sending the encrypted H(UDID) along with the UID to the cryptography key management system by the key management application module;
      
      passing the UID and requesting the stored Pswd;
      
      returning the Pswd associated with the UID upon validating the passed UID by the cryptography key management system;
      
      decrypting the encrypted H(UDID) and the cryptography/data recovery key using the returned password;
      
      if decryption is unsuccessful, then stopping the registering of the data recovery key;
      
      if decryption is successful, then establishing a mutual authentication;
      
      generating a KeyID and passing the H(UDID), the data recovery key, and the KeyID;
      
      storing the data recovery key, the KeyID associated with the UDID by the cryptography key management system upon validating the H(UDID);
      
      encrypting the KeyID using a symmetric cryptography key derived from the Pswd to obtain a password-encrypted KeyID and sending the password-encrypted KeyID to the key management application module by the cryptography key management system; and
      
      decrypting the password-encrypted KeyID using a symmetric cryptography key derived from the password to obtain the KeyID and storing the obtained KeyID.
  - 16. The article of claim 15, wherein decrypting the encrypted H(UDID) and the cryptography/data recovery key using the returned Pswd upon successful validation of the UID by the key management system comprises:
    - determining whether the encrypted H(UDID) and the cryptography/data recovery key can be decrypted using a symmetric cryptography key derived from the returned Pswd; and
      
      if so, decrypting H(UDID) and the cryptography/data recovery key using a symmetric cryptography key derived from the returned Pswd.

17. A cryptography key management apparatus, comprising:
- a cryptography key management system that allows to create a new user account with the system and register the user with the system, allows the registered user to register a new client mobile device with the system, allows the registered user to register a cryptography/data recovery key with the system and associate/bind it with the client mobile device in the system, allows the registered user to request for a cryptography key for encryption for the client mobile device from the system, allows the registered user to request a registered cryptography/data recovery key for decryption for the client mobile device from the system, allows a registered user to change its password/authentication tokens in the system, allows to decrypt the data stored encrypted on a removable media if the mobile device on which the encryption performed is lost or unavailable and allows to create and manage user accounts in the key management system;
  
  a secure key database coupled to the cryptography key management system to store the registered user account information, the registered cryptography/data-recovery key information and information binding the cryptography/data-recovery key with a registered client mobile device and a registered user, wherein the user account information comprises of the UID, UDID of the registered client mobile device, Pswd/authentication tokens stored in encrypted format and the account state; and
  
  a client mobile device, wherein the client mobile device comprises;
  
  a key management application module that allows the intended user to log on to the key management system, register the client mobile device with the key management system, register a cryptography/data-recovery key with the key management system, request a cryptography key for encryption from the key management system, request a registered cryptography/data-recovery key for decryption from the key management system which is bound to the client mobile device, change the Pswd/authentication tokens from the key management system, encrypt and decrypt files on the client mobile device and store the metadata of the encrypted files on the client mobile device.
- View Dependent Claims (18, 19)
- - 18. The system of claim 17, wherein the cryptography key management system creates a new user account using the UID and a DPswd in an inactive state, wherein the UID and the DPswd is communicated to the intended user using the secure communication medium, wherein the intended user logs into the cryptography key management system using the UID and the DPswd via the client mobile device upon authenticating the DPswd by the cryptography key management system, wherein the user changes the DPswd to a NewPswd, wherein the NewPswd is encrypted by a cryptography key derived from the DPswd and sent to the cryptography key management system, and wherein the DPswd is replaced with the NewPswd if the DPswd satisfies enterprise requirements associated with a password strength stored in the secure key database.
  - 19. The system of claim 17, wherein the key management application module hashes the UDID associated with the client mobile device to create a H(UDID), wherein the key management application module sends the H(UDID) along with the encrypted password to the cryptography key management system, wherein the cryptography key management system authenticates the H(UDID), wherein the cryptography key management system terminates the communication with the client mobile device if the authentication fails, and wherein the cryptography key management system allows a desired operation by the intended user if the authentication is successful.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Inventors
Vennelakanti, Ravigopal, Fernandes, Savio

Granted Patent

US 9,425,958 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/183
CPC Class Codes

H04L 2209/80   Wireless network architectu...

H04L 63/06   for supporting key manageme...

H04L 63/062   for key distribution, e.g. ...

H04L 63/083   using passwords cryptograph...

H04L 63/0846   using time-dependent-passwo...

H04L 9/0891   Revocation or update of sec...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

H04L 9/3273   for mutual authentication n...

H04W 12/0433   Key management protocols

H04W 12/069   using certificates or pre-s...

System, Method and Apparatus for Cryptography Key Management for Mobile Devices

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

128 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

System, Method and Apparatus for Cryptography Key Management for Mobile Devices

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links