Encryption key exchange system and method

US 20120204032A1
Filed: 02/07/2011
Published: 08/09/2012
Est. Priority Date: 05/09/2006
Status: Active Grant

First Claim

Patent Images

1. In a network including a key exchange system and a plurality of network devices, a computer-implemented communication sender verification method comprising:

creating, in the key exchange system, a user account for a communication sender, the user account storing user identification information, user authentication criteria and user indicia;

verifying, by at least one of an administrative user of the key exchange system and a certificate authority and a third party application, that the user identification information associated with the user account identifies the communication sender;

specifying, by at least one of an administrative user of the key exchange system and a certificate authority and a third party application, a classification of the communication sender and associating the classification with the user account;

preferably associating a certificate for generating encryption key pairs to the user account;

associating the private key of a key pair to a network device of the communication sender;

associating, to the user account of the communication sender on the key exchange system, the public key of a key pair;

receiving, from a network device of a communication recipient, a request for at least one public key and user indicia associated to at least one user account; and

,transmitting, to the network device of the communication recipient, at least one public key and user indicia associated to at least one user account.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The present invention is a computer-implemented key exchange system and methods for improving the usability of encryption technologies such as Public Key Infrastructure (PKI). One aspect of the present invention includes registering users, verifying user identity, and classifying users such that the users may send a communications such that communication recipients can verify the user identity and classification of the communication sender. Another aspect of the present invention includes users initiating relationships with other users, approving the establishment of relationships, and exchanging encryption keys between users after the establishment of a relationship.

711 Citations

32 Claims

1. In a network including a key exchange system and a plurality of network devices, a computer-implemented communication sender verification method comprising:
- creating, in the key exchange system, a user account for a communication sender, the user account storing user identification information, user authentication criteria and user indicia;
  
  verifying, by at least one of an administrative user of the key exchange system and a certificate authority and a third party application, that the user identification information associated with the user account identifies the communication sender;
  
  specifying, by at least one of an administrative user of the key exchange system and a certificate authority and a third party application, a classification of the communication sender and associating the classification with the user account;
  
  preferably associating a certificate for generating encryption key pairs to the user account;
  
  associating the private key of a key pair to a network device of the communication sender;
  
  associating, to the user account of the communication sender on the key exchange system, the public key of a key pair;
  
  receiving, from a network device of a communication recipient, a request for at least one public key and user indicia associated to at least one user account; and
  
  ,transmitting, to the network device of the communication recipient, at least one public key and user indicia associated to at least one user account.
- View Dependent Claims (2, 3, 4, 5)
- - 2. The method of claim 1, wherein verifying the identity of the communication sender includes verifying the right of the communication sender to use the stored user indicia.
  - 3. The method of claim 1, wherein associating the public key of a key pair to a user account includes generating an asymmetric key pair from a certificate, the public key identifying the communication sender.
  - 4. The method of claim 1, wherein associating the public key of a key pair includes generating an asymmetric key pair from a certificate, the public key including at least one of embedded user indicia and an association to user indicia.
  - 5. The method of claim 1, wherein associating the public key of a key pair includes generating an asymmetric key pair from a certificate, the public key including at least one of embedded security zone indicia and an association to security zone indicia, wherein transmitting at least one public key and user indicia includes security zone indicia, and preferably wherein the key exchange system includes a means of storing security zone indicia.

6. In a network including a key exchange server and a plurality of network devices, a network device of a communication sender comprising:
- a network interface for facilitating network communication, preferably facilitating communication using a secure communication protocol;
  
  a processor for executing and a program memory for storing thereinuser authentication logic for managing at least one of user authentication information and user authentication criteria to authenticate at least one user with the key exchange server,signing logic for adding at least one attribute to a communication header and signing a communication with the private key of a key pair wherein the key pair provides the communication recipient with a means of verifying, by a public key retrieved from the key exchange system, the identity of the communication sender and a classification of the communication sender, andat least one ofcertificate requester logic for retrieving a certificate associated to a user account on the key exchange server, the certificate identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender,private key requester logic for retrieving a private key of at least one key pair associated to a user account on the key exchange server, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender,security zone indicia requester logic for retrieving security zone indicia from the key exchange server,key generation logic for generating a key pair from a certificate whereby the private key is stored in at least one of the data storage and the program memory of the network device and the public key is transmitted to the key exchange server and associated to a user account on the key exchange server, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender,key rotation logic for invoking the key generation logic automatically on a periodic basis; and
  
  ,a communication application capable of invoking signing logic to sign a communication with the private key of a key pair, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender.
- View Dependent Claims (7, 8, 9, 10)
- - 7. The network device of claim 6, wherein the communication application is an email application and the communication is an email message.
  - 8. The network device of claim 6, wherein the communication application is an short message service application and the communication is a short message service message.
  - 9. The network device of claim 6, wherein the communication application is an instant messaging application and the communication is an instant message.
  - 10. The network device of claim 6, wherein the communication contains a variable, the signing logic is adapted to select a private key with associated security zone indicia, and the signing logic is adapted to substitute the variable with a reference to the security zone indicia of the selected private key.

11. In a network including a key exchange server and a plurality of network devices, a network device of a communication recipient comprising:
- a network interface for facilitating network communication, preferably facilitating communication using a secure communication protocol;
  
  a processor for executing and a program memory for storing thereinverifying logic for verifying a communication with the public key of a key pair retrieved from the key exchange server wherein the key pair provides the communication recipient with a means of verifying, a communication sender, the user indicia of the communication sender and a classification of the communication sender,sender verification panel logic for presenting to the communication recipient a sender verification panel in juxtaposition to a verified communication, the sender verification panel presenting the identity of the communication sender, the user indicia of the communication sender, the classification of the communication sender, andat least one ofpublic key requester logic for retrieving at least one public key of at least one key pair associated to a user account on the key exchange server, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender,security zone indicia requester logic for retrieving security zone indicia from the key exchange server,key rotation logic for invoking the public key requester logic automatically on a periodic basis; and
  
  ,a communication application capable of invoking verifying logic to verify a communication with the public key of a key pair, the key pair identifying a communication sender, the user indicia of the communication sender and a classification of the communication sender.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The network device of claim 11, wherein the communication application is an email application and the communication is an email message.
  - 13. The network device of claim 11, wherein the communication application is a short message service application and the communication is a short message service message.
  - 14. The network device of claim 11, wherein the communication application is an instant messaging application and the communication is an instant message.
  - 15. The network device of claim 11, wherein the communication application is at least one of a Voice over Internet Protocol application and a Session Initiation Protocol application and the communication is at least one of a voice communication and a multimedia communication.
  - 16. The network device of claim 11, wherein the communication contains user indicia and the sender verification panel provides a means of animating the user indicia of the sender verification panel with the user indicia of the communication.
  - 17. The network device of claim 11, wherein the sender verification panel logic includes a means of presenting security zone indicia.
  - 18. The network device of claim 17, wherein the communication contains security zone indicia and the sender verification panel provides a means of animating the security zone indicia of the sender verification panel with the security zone indicia of the communication.

19. In a network including a key exchange system and a plurality of network devices, a computer-implemented server verification method comprising:
- creating, in the key exchange system, a user account for a server provider, the user account storing server identification information, user authentication criteria and preferably user indicia;
  
  verifying, by at least one of an administrative user of the key exchange system and a certificate authority, that the server identification information associated with the user account identifies a server of the server provider;
  
  specifying, by at least one of an administrative user of the key exchange system and a certificate authority, a classification of the server provider and associating the classification with the user account;
  
  preferably associating a certificate for generating encryption key pairs to the user account;
  
  associating the first key of a key pair to a server of the server provider;
  
  associating, to the user account of the server provider on the key exchange system, the second key of a key pair;
  
  receiving, from a communication application of a network device, a request for at least one second key and preferably user indicia associated to at least one user account; and
  
  ,transmitting, to the communication application of the network device, at least one second key and preferably user indicia of at least one user account.
- View Dependent Claims (20, 21)
- - 20. The method of claim 19, wherein the communication application of the network device is adapted to utilize the at least one second key received from the key exchange system to identify a server of a server provider.
  - 21. The method of claim 20, wherein the communication application is adapted to present user indicia of a server provider in a server verification panel when the communication application identifies a server of a server provider using the second key of the server provider.

22. In a network including a key exchange system and a plurality of network devices, a computer-implemented key exchange method comprising:
- receiving, at the key exchange system, user registration information from a first network device;
  
  creating, in the key exchange system, a user account, the user account storing user authentication criteria;
  
  generating a unique user identifier for the user account;
  
  associating the unique user identifier to the user account;
  
  transmitting the unique user identifier to the first network device;
  
  receiving, at the key exchange system, a request from a second network device of a first user to establish a relationship with a second user, the request including first user authentication information and first user authentication criteria associated with a first user account and the user identifier of the second user;
  
  authenticating the first user request as a request from the first user using the first user authentication criteria and the first user authentication information prior to processing the request;
  
  establishing a link between the first user account and the second user account on the key exchange system, the link including a time of the request from the first network device and an approval status;
  
  determining whether the request of the first user to establish a relationship with the second user satisfies a second user approval criteria;
  
  associating one key of an encryption key pair to the link whereby the key enables the first user to at least one of sign and encrypt a communication intended for the second user; and
  
  ,transmitting, from the key exchange system to the second network device, the key associated with the link, the key enabling the first user to at least one of encrypt and sign a communication intended for the second user.
- View Dependent Claims (23, 24, 25)
- - 23. The method of claim 22 wherein associating one key of an encryption key pair to the link includes encrypting one key of the key pair and associating the encrypted key to the link, whereby the key enables the second user to at least one of verify and decrypt a communication received from the first user.
  - 24. The method of claim 22 wherein associating one key of an encryption key pair to the link includes at least one of generating an encryption key pair by a network device and transmitting one key to the key exchange system and generating an encryption key pair by the key exchange system where the encryption key pair is for the exclusive use of the first user and the second user.
  - 25. The method of claim 22 wherein the key exchange system is at least one of a standalone application and an application adapted to operate with a computing security system and an application adapted to operate with a social network and an application adapted to operate with a Voice over Internet Protocol system or a Session Initiation Protocol system.

26. In a network including a key exchange server, a network device comprising:
- data storage for storing encryption keys;
  
  a network interface facilitating communication with the key exchange server; and
  
  ,a communication application, wherein the communication application is programmed to at least one ofsend, from the communication application to the key exchange system, a request from a first user to establish a relationship with a second user, the request including first user authentication information associated with a first user account on the key exchange system and the user identifier of the second user of the key exchange system,respond to the establishment of a relationship on the key exchange system initiated by the first user with the second user by storing, in the network device, the first key of an asymmetric key pair, the first key facilitating at least one of secured and authenticated communication with the second user,where the network device or communication application generates the asymmetric key pair, respond to the establishment of a relationship on the key exchange system initiated by the first user with the second user by transmitting the second key of an asymmetric key pair to the key exchange system, wherein it is stored in a link record associated to the first user and the second user in the key exchange system,respond to the establishment of a relationship on the key exchange system initiated by the second user with the first user by retrieving from the key exchange system and storing in the network device the second key of an asymmetric key pair, the second key facilitating at least one of secured and authenticated communication with the second user,identify the first user as a sender of a communication and identify the second user as the addressee of a communication, select an encryption key associated to the first user and the second user, and at least one of sign and encrypt the communication with the selected encryption key, andidentify the first user as the addressee of a communication and identify the second user as the sender of a communication, select an encryption key associated to the first user and second user, and at least one of verify and decrypt the communication with the selected encryption key.
- View Dependent Claims (27, 28, 29)
- - 27. The network device of claim 26 wherein the network device is adapted to operate as an email proxy.
  - 28. The network device of claim 26 wherein the network device is a network appliance.
  - 29. The network appliance of claim 28 wherein the network appliance is adapted with an application programming interface to support interaction with at least one client application.

30. In a network including a key exchange server, a network appliance and a client application, a computer-implemented key exchange method comprising:
- presenting in the user interface of the client application to an authenticated user of the client application a means of at least one of initiating and approving a relationship between the first user of the key exchange system and a second user of the key exchange system; and
  
  ,the client application at least one of initiating and approving a relationship between the first user of the key exchange system and the second user of the key exchange system by at least one of communicating directly with the key exchange system and communicating with a network appliance capable of communicating with the key exchange system.
- View Dependent Claims (31, 32)
- - 31. The method of claim 30, wherein client app is further adapted to at least one of encrypt a communication, sign a communication, decrypt a communication and verify a communication via an application programming interface to the network appliance.
  - 32. The method of claim 30 further comprising creating, in the key exchange system, a user account for a second user, the second user account storing user identification information, user authentication criteria and user indicia;
    - verifying, by at least one of an administrative user of the key exchange system and a certificate authority, that the user identification information associated with the second user account identifies the second user;
      
      specifying, by an administrative user of the key exchange system, a classification of the second user and associating the classification with the second user account;
      
      verifying, by the establishment of a relationship between the first user and the second user on the key exchange system, the identity of the first user of the key exchange system; and
      
      preferably generating, by the key exchange system, a digital certificate, the digital certificate capable of identifying the first user to at least one third party and transmitting the digital certificate via a secure network connection to a network device of the first user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SyncUp Corp.
Original Assignee
SyncUp Corp.
Inventors
Keefe, Michael, Rehman, Sam, Wilkins, John

Granted Patent

US 9,002,018 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/170
CPC Class Codes

H04L 2463/041   using an encryption or decr...

H04L 51/00   User-to-user messaging in p...

H04L 63/0428   wherein the data content is...

H04L 63/062   for key distribution, e.g. ...

H04L 9/006   involving public key infras...

H04L 9/083   involving central third par...

H04L 9/0891   Revocation or update of sec...

H04L 9/321   involving a third party or ...

H04L 9/3263   involving certificates, e.g...

Encryption key exchange system and method

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

711 Citations

32 Claims

Specification

Solutions

Use Cases

Quick Links

Encryption key exchange system and method

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

711 Citations

32 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links