INTERLOCKING PLAIN TEXT PASSWORDS TO DATA ENCRYPTION KEYS

US 20110087890A1
Filed: 04/27/2010
Published: 04/14/2011
Est. Priority Date: 10/09/2009
Status: Active Grant

First Claim

Patent Images

1. A method of generating a unique password for authenticating a user for access to an encrypted storage device, the method comprising:

generating, by a random number generator;

i) a root key to encrypt and decrypt data;

ii) a maker'"'"'s password to generate other passwords;

iii) an authentication hash key to generate hashed values of plaintext passwords; and

iv) a random data key corresponding to the unique authentication hash key;

generating, by an encryption module, an encrypted data key based on the random data key, the authentication hash key and the root key;

generating, by the encryption module, a unique plaintext password for the user based on a random number and the encrypted data key;

generating, by a hash module, a hashed value of the generated plaintext password based on the authentication hash key;

storing the hashed value of the plaintext password and the corresponding encrypted data key to a key storage; and

providing the plaintext password to the user.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described embodiments provide for authenticating a user request for access to at least a portion of an encrypted storage device. First, the request for access to at least a portion of the encrypted storage device is received. The request includes a plaintext password. A hash module generates a hashed version of the received plaintext password based on an authentication hash key. A hashed value of the generated plaintext password is retrieved from a key storage. A hash comparator compares the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password. If the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, the user is authenticated for access to at least a portion of the encrypted storage device. Otherwise, the user is denied access to the encrypted storage device.

107 Citations

View as Search Results

22 Claims

1. A method of generating a unique password for authenticating a user for access to an encrypted storage device, the method comprising:
- generating, by a random number generator;
  
  i) a root key to encrypt and decrypt data;
  
  ii) a maker'"'"'s password to generate other passwords;
  
  iii) an authentication hash key to generate hashed values of plaintext passwords; and
  
  iv) a random data key corresponding to the unique authentication hash key;
  
  generating, by an encryption module, an encrypted data key based on the random data key, the authentication hash key and the root key;
  
  generating, by the encryption module, a unique plaintext password for the user based on a random number and the encrypted data key;
  
  generating, by a hash module, a hashed value of the generated plaintext password based on the authentication hash key;
  
  storing the hashed value of the plaintext password and the corresponding encrypted data key to a key storage; and
  
  providing the plaintext password to the user.

2. A method of authenticating a user request for access to at least a portion of an encrypted storage device, the method comprising:
- receiving the request for access to at least a portion of the encrypted storage device, the request including a plaintext password;
  
  generating, by a hash module, a hashed version of the received plaintext password based on an authentication hash key;
  
  retrieving, from a key storage, a hashed value of a generated plaintext password;
  
  comparing, by a hash comparator, the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password; and
  
  if the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, authenticating the user for access to at least a portion of the encrypted storage device,otherwise, denying the user access to the encrypted storage device.
- View Dependent Claims (3, 4, 5, 6, 7, 8, 9)
- - 3. The invention of claim 2, further comprising:
    - changing the user'"'"'s plaintext password, comprising the steps of;
      
      receiving a desired plaintext password for the user; and
      
      generating, by the hash module, a hashed version of the desired plaintext password based upon the authentication hash key and the root key.
  - 4. The invention of claim 3, further comprising:
    - extracting the authentication hash key and data key from the encrypted data key.
  - 5. The invention of claim 2, further comprising:
    - storing, to a key cache, one or more decrypted data keys.
  - 6. The invention of claim 2, wherein the at least a portion of the encrypted storage device corresponds to one or more bands of the encrypted storage device.
  - 7. The invention of claim 5, wherein a user password allows access to at least one corresponding band of the storage device, and an administrative password allows access to one or more bands of the storage device.
  - 8. The invention of claim 2, wherein the root key, the authentication hash key, the hashed version of the plaintext password and the corresponding unencrypted data key are accessible only within an encryption datapath of the storage device.
  - 9. The invention of claim 2, wherein:
    - the root key is a pair of 256 bit keys, the plain text password is a 256 bit password, the authentication hash key is a 256 bit key, the random data key is one of a 128, 256 and 512 bit key, and the encrypted data key is one of a 448, 576 and 832 bit key.

10. A machine-readable storage medium, having encoded thereon program code, wherein, when the program code is executed by a machine, the machine implements a method of generating a unique password for authenticating a user for access to an encrypted storage device, the method comprising:
- generating, by a random number generator;
  
  i) a root key to encrypt and decrypt data;
  
  ii) a maker'"'"'s password to generate other passwords;
  
  iii) an authentication hash key to generate hashed values of plaintext passwords; and
  
  iv) a random data key corresponding to the unique authentication hash key;
  
  generating, by an encryption module, an encrypted data key based on the random data key, the authentication hash key and the root key;
  
  generating, by the encryption module, a unique plaintext password for the user based on a random number and the encrypted data key;
  
  generating, by a hash module, a hashed value of the generated plaintext password based on the authentication hash key;
  
  storing the hashed value of the plaintext password and the corresponding encrypted data key to a key storage; and
  
  providing the plaintext password to the user.

11. A machine-readable storage medium, having encoded thereon program code, wherein, when the program code is executed by a machine, the machine implements a method of authenticating a user request for access to at least a portion of an encrypted storage device, the method comprising:
- receiving the request for access to at least a portion of the encrypted storage device, the request including a plaintext password;
  
  generating, by a hash module, a hashed version of the received plaintext password based on an authentication hash key;
  
  retrieving, from a key storage, a hashed value of a generated plaintext password;
  
  comparing, by a hash comparator, the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password; and
  
  if the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, authenticating the user for access to at least a portion of the encrypted storage device,otherwise, denying the user access to the encrypted storage device.
- View Dependent Claims (12, 13, 14, 15, 16, 17)
- - 12. The invention of claim 11, further comprising:
    - changing the user'"'"'s plaintext password, comprising the steps of;
      
      receiving a desired plaintext password for the user; and
      
      generating, by the hash module, a hashed version of the desired plaintext password based upon the authentication hash key and the root key.
  - 13. The invention of claim 12, further comprising:
    - extracting the authentication hash key and data key from the encrypted data key.
  - 14. The invention of claim 11, further comprising:
    - storing, to a key cache, one or more decrypted data keys.
  - 15. The invention of claim 11, wherein the at least a portion of the encrypted storage device corresponds to one or more bands of the encrypted storage device.
  - 16. The invention of claim 15, wherein a user password allows access to at least one corresponding band of the storage device, and an administrative password allows access to one or more bands of the storage device.
  - 17. The invention of claim 11, wherein the root key, the authentication hash key and the corresponding unencrypted data key are accessible only within an encryption datapath of the storage device.

18. An apparatus for authenticating a user for access to an encrypted storage device, the apparatus comprising:
- a random number generator for generating;
  
  i) a root key to encrypt and decrypt data;
  
  ii) a maker'"'"'s password to generate other passwords;
  
  iii) an authentication hash key to generate hashed values of plaintext passwords; and
  
  iv) a random data key corresponding to the unique plaintext password;
  
  an encryption module for generating i) an encrypted data key based on the random data key and the root key, and ii) a unique plaintext password for the user based on a random number and the encrypted data key;
  
  a hash module for generating i) a hashed value of the generated plaintext password based on the authentication hash key and ii) generating a hashed version of the received plaintext password based on the authentication hash key;
  
  a key storage for storing the hashed value of the plaintext password and the corresponding encrypted data key;
  
  a communication link for i) providing the plaintext password to the user, and ii) receiving the request for access to at least a portion of the encrypted storage device, the request including the plaintext password;
  
  a hash comparator for comparing the hashed version of the received plaintext password with the hashed value of the generated plaintext password, wherein, if the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, authenticating the user for access to at least a portion of the encrypted storage device, otherwise, denying the user access to the encrypted storage device.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The invention of claim 18, further comprising:
    - a key cache for storing one or more decrypted data keys.
  - 20. The invention of claim 18, wherein the encrypted storage device comprises one or more bands of the encrypted storage device, wherein a user password allows access to at least one corresponding band of the storage device, and an administrative password allows access to one or more bands of the storage device.
  - 21. The invention of claim 18, wherein the root key, the authentication hash key and the corresponding unencrypted data key are accessible only within an encryption datapath of the storage device.
  - 22. The invention of claim 18, wherein the apparatus is implemented in a monolithic integrated circuit chip.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
LSI Corporation (Broadcom, Inc.)
Inventors
Munsil, Jeffrey L., Williams, Jeffrey L.

Granted Patent

US 8,516,264 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/184
CPC Class Codes

G06F 21/31   User authentication

G06F 21/78   to assure secure storage of...

H04L 2209/12   Details relating to cryptog...

H04L 9/0866   involving user or device id...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

INTERLOCKING PLAIN TEXT PASSWORDS TO DATA ENCRYPTION KEYS

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

107 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

INTERLOCKING PLAIN TEXT PASSWORDS TO DATA ENCRYPTION KEYS

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

107 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links