DYNAMIC DISTRIBUTED KEY SYSTEM AND METHOD FOR IDENTITY MANAGEMENT, AUTHENTICATION SERVERS, DATA SECURITY AND PREVENTING MAN-IN-THE-MIDDLE ATTACKS

US 20090106551A1
Filed: 04/25/2007
Published: 04/23/2009
Est. Priority Date: 04/25/2006
Status: Active Grant

First Claim

Patent Images

1. A method of encrypting a communication between a first source computer and a second destination computer, wherein said source and destination computers are each provided respectively with first and second private distributed keys, each associated with a first and second unique private key identifier, wherein a key storage server is provided with said first and second private distributed keys, each associated with said first and second unique private key identifiers, said method comprising:

i) said source computer sending a request to said key storage server for a session key;

ii) said key storage server identifying said source computer and locating its associated private distributed key;

iii) said key storage server generating a unique session key for the session in question, identified by a unique session identifier;

iv) said key storage server encrypting the session key with said source computer private distributed key and sending it, with a session identifier, to said source computer;

v) said source computer using said source computer private distributed key to decrypt the session key and using the session key to encrypt said communication, which is sent to the destination computer along with said session identifier;

vi) said destination computer receives the encrypted communication and session identifier and sending a request to said key storage server for the session key associated with said session identifier;

vii) said key storage server determining from the session identifier whether it has the corresponding session key, and whether it has said destination computer'"'"'s private distributed key;

viii) if said key storage server determines from the session identifier that it has the corresponding session key, and has said destination computer'"'"'s private distributed key, said key storage server encrypting the session key said destination computer'"'"'s private distributed key and communicating it to said destination computer;

ix) said destination computer then decrypting the session key using its private distributed key and decrypting said communication using the decrypted session key.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A distributed key encryption system and method is provided in which a key storage server provides a session key to the source and destination computers by encrypting the session key with unique distributed private keys that are associated with the respective source and destination computers by unique private key identifiers The destination computer then decrypts the encrypted session key using it'"'"'s distributed private key and then decrypts the communication using the decrypted session key.

Citations

16 Claims

1. A method of encrypting a communication between a first source computer and a second destination computer, wherein said source and destination computers are each provided respectively with first and second private distributed keys, each associated with a first and second unique private key identifier, wherein a key storage server is provided with said first and second private distributed keys, each associated with said first and second unique private key identifiers, said method comprising:
- i) said source computer sending a request to said key storage server for a session key;
  
  ii) said key storage server identifying said source computer and locating its associated private distributed key;
  
  iii) said key storage server generating a unique session key for the session in question, identified by a unique session identifier;
  
  iv) said key storage server encrypting the session key with said source computer private distributed key and sending it, with a session identifier, to said source computer;
  
  v) said source computer using said source computer private distributed key to decrypt the session key and using the session key to encrypt said communication, which is sent to the destination computer along with said session identifier;
  
  vi) said destination computer receives the encrypted communication and session identifier and sending a request to said key storage server for the session key associated with said session identifier;
  
  vii) said key storage server determining from the session identifier whether it has the corresponding session key, and whether it has said destination computer'"'"'s private distributed key;
  
  viii) if said key storage server determines from the session identifier that it has the corresponding session key, and has said destination computer'"'"'s private distributed key, said key storage server encrypting the session key said destination computer'"'"'s private distributed key and communicating it to said destination computer;
  
  ix) said destination computer then decrypting the session key using its private distributed key and decrypting said communication using the decrypted session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 14, 15)
- - 2. The method of claim 1 wherein said session key is encapsulated with an authentication key.
  - 3. The method of claim 1 wherein said authentication key is Whitenoise.
  - 4. The method of claim 1 wherein a hardware-specific identifier is used as a seed and offset to generate a device-specific key.
  - 5. The method of claim 1 wherein said private distributed private keys are Whitenoise-produced keys.
  - 6. The method of claim 1 wherein to distribute private keys the server receives a device-specific identifier from a new device, generates a unique key and unique starting offset from the device-specific identifier, encrypts a private key with said unique key and sends said encrypted private key to the new device.
  - 7. The method of claim 5 wherein the Whitenoise distributed private key is used as an AES session key generator.
  - 8. The method of claim 6 wherein, when the encryption application is initiated by the new device the application key uses the device-specific identifier to decrypt the private key.
  - 9. The method of claim 1 wherein data is encrypted in the key of the destination computer in a streaming fashion.
  - 10. The method of claim 1 wherein a session key is encrypted with a pre-distributed AES private key, and said AES-encrypted session key is then double encrypted with a pre-distributed AES or WN authentication key to double encrypt the session key
  - 11. The method of claim 1 wherein key segments that have yet to be created streams. are compared by comparing key segments ahead of the last offset to authenticate a user.
  - 14. The method of claim 1 wherein said distributed key is used as a random number generator to generate further distributed keys or session keys.
  - 15. The method of claim 1 wherein a distributed key is used to perturb a pre-distributed key schedule at an endpoint in order to create unique new keys.

12. The method of claim 12 wherein hacking is detected when, if a copy of a key is made, the offsets do not match between the legitimate key and the stolen key.

13. The method of claim 13 wherein a user account is revoked when hacking is detected.

16. A system for encrypting a communication between a first source computer and a second destination computer, wherein said source and destination computers are each provided respectively with first and second private distributed keys, each associated with a first and second unique private key identifier, said system further comprisingi) a key storage server provided with said first and second private distributed keys, each associated with said first and second unique private key identifiers:
- ii) means associated with said source computer for sending a request to said key storage server for a session key;
  
  iii) means associated with said key storage server for identifying said source computer and locating its associated private distributed key;
  
  iv) means associated with said key storage server for generating a unique session key for the session in question, identified by a unique session identifier;
  
  v) means associated with said key storage server for encrypting the session key with said source computer private distributed key and sending it, with a session identifier, to said source computer;
  
  vi) means associated with said source computer for using said source computer private distributed key to decrypt the session key and using the session key to encrypt said communication, which is sent to the destination computer along with said session identifier;
  
  vii) means associated with said destination computer for receiving the encrypted communication and session identifier and sending a request to said key storage server for the session key associated with said session identifier;
  
  viii) means associated with said key storage server for determining from the session identifier whether it has the corresponding session key, and whether it has said destination computer'"'"'s private distributed key, and if said key storage server determines from the session identifier that it has the corresponding session key, and has said destination computer'"'"'s private distributed key, said key storage server encrypting the session key said destination computer'"'"'s private distributed key and communicating it to said destination computer;
  
  ix) means associated with said destination computer for then decrypting the session key using its private distributed key and decrypting said communication using the decrypted session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Andre Jacques Brisson, Stephen Laurence Boren
Original Assignee
Andre Jacques Brisson, Stephen Laurence Boren
Inventors
Brisson, Andre Jacques, Boren, Stephen Laurence

Granted Patent

US 9,166,782 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/158
CPC Class Codes

H04L 63/0428   wherein the data content is...

H04L 9/0822   using key encryption key

H04L 9/083   involving central third par...

H04L 9/321   involving a third party or ...

H04L 9/3226   using a predetermined code,...

DYNAMIC DISTRIBUTED KEY SYSTEM AND METHOD FOR IDENTITY MANAGEMENT, AUTHENTICATION SERVERS, DATA SECURITY AND PREVENTING MAN-IN-THE-MIDDLE ATTACKS

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

DYNAMIC DISTRIBUTED KEY SYSTEM AND METHOD FOR IDENTITY MANAGEMENT, AUTHENTICATION SERVERS, DATA SECURITY AND PREVENTING MAN-IN-THE-MIDDLE ATTACKS

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links