Protocol for Controlling Access to Encryption Keys

US 20130007464A1
Filed: 06/27/2012
Published: 01/03/2013
Est. Priority Date: 07/02/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving information to identify a user of a computer;

validating the information; and

transmitting a key-encrypting key through a distributed data network to the computer after validating the information, whereinthe key-encrypting key is to decrypt a private key of a public/private keypair available at the computer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A secure remote-data-storage system stores encrypted data and both plaintext and encrypted keys at a server, where data at the server is inadequate to recover the plaintext of the encrypted data; and stores at least one encrypted key at a client system. To decrypt the data, the client must obtain a copy of the encrypted data from the server, and a key to decrypt its locally-stored encrypted key. Once decrypted, the locally-stored key can be used to decrypt the encrypted data, or to decrypt an encrypted key from the server, which may then be used decrypt the encrypted data.

Citations

20 Claims

1. A method comprising:
- receiving information to identify a user of a computer;
  
  validating the information; and
  
  transmitting a key-encrypting key through a distributed data network to the computer after validating the information, whereinthe key-encrypting key is to decrypt a private key of a public/private keypair available at the computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - receiving an encrypted key block containing a document encryption key from the computer, said encrypted key block having been encrypted with a public key of the public/private keypair;
      
      receiving an encrypted document, said encrypted document having been encrypted with the document encryption key; and
      
      storing the encrypted key block and the encrypted document.
  - 3. The method of claim 1, further comprising:
    - transmitting an encrypted key block to the computer, the encrypted key block encrypted with a public key of the public/private keypair, the encrypted key block containing an encrypted document encryption key; and
      
      transmitting an encrypted document to the computer, the encrypted document encrypted using the document encryption key.
  - 4. The method of claim 1, further comprising:
    - transmitting an executable program to the computer, the executable program containing instructions to cause the computer to perform operations including;
      
      a) collecting information to identify the user of the computer;
      
      b) transmitting the information to a server;
      
      c) receiving the key-encrypting key from the server; and
      
      d) decrypting a private key of a public/private keypair using the key-encrypting key.
  - 5. The method of claim 1, further comprising:
    - transmitting an executable program to the computer, the executable program containing instructions to cause the computer to perform operations including;
      
      a) selecting a document encryption key;
      
      b) encrypting a document with the document encryption key to produce an encrypted document;
      
      c) encrypting the document encryption key with a public key of the public/private keypair; and
      
      d) sending the encrypted document and the encrypted document encryption key to a server.
  - 6. The method of claim 1, further comprising:
    - transmitting an executable program to the computer, the executable program containing instructions to cause the computer to perform operations including;
      
      a) receiving an encrypted key block from a server, the encrypted key block encrypted with a public key of the public/private keypair;
      
      b) decrypting an encrypted private key of the public/private keypair using the key-encrypting key to produce a plaintext private key;
      
      c) decrypting the encrypted key block using the plaintext private key to produce a plaintext document-encryption key;
      
      d) receiving an encrypted document from a server; and
      
      e) decrypting the encrypted document with the plaintext document encryption key to produce a plaintext document.
  - 7. The method of claim 1 wherein the information to identify the user of the computer comprises:
    - a username;
      
      a secret password; and
      
      a second authentication factor.
  - 8. The method of claim 7 wherein the second authentication factor is one of a One-Time-Password (“
    - OTP”
      
      ) value, a fingerprint scan or a retinal image.

9. A computer-readable medium containing instructions and data to cause a programmable processor to perform operations comprising:
- selecting an asymmetric encryption key pair (“
  
  public/private keypair”
  
  );
  
  selecting a key-encryption key;
  
  encrypting a private key of the public/private keypair using the key-encryption key;
  
  transmitting the key-encryption key to a server;
  
  transmitting a public key of the public/private keypair to the server; and
  
  discarding the key-encryption key.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
- - 10. The computer-readable medium of claim 9, containing additional instructions and data to cause the programmable processor to perform operations comprising:
    - constructing a key store containing a public key of the public/private keypair and the encrypted private key of the public/private keypair; and
      
      storing the key store on a second computer-readable medium.
  - 11. The computer-readable medium of claim 10 wherein the second computer-readable medium is a portable Flash drive.
  - 12. The computer-readable medium of claim 10, containing additional instructions and data to cause the programmable processor to perform operations comprising:
    - formatting the key store as a bar-code image; and
      
      printing the bar-code image.
  - 13. The computer-readable medium of claim 12 wherein the bar-code image is a QR Code®
    - image.
  - 14. The computer-readable medium of claim 12 wherein printing the bar-code image comprises:
    - printing the bar-code image on a sheet of self-adhesive labels.
  - 15. The computer-readable medium of claim 9 wherein the asymmetric encryption key pair is an RSA key pair.
  - 16. The computer-readable medium of claim 9 wherein selecting the key-encryption key comprises:
    - obtaining a plurality of random bits from a server;
      
      using the plurality of random bits to perturb a random number generator; and
      
      generating a second plurality of random bits with the random number generator, whereinthe key-encryption key comprises the second plurality of random bits.
  - 17. The computer-readable medium of claim 9 wherein the key-encryption key is an Advanced Encryption Standard (“
    - AES”
      
      ) key.
  - 18. The computer-readable medium of claim 9, containing additional instructions and data to cause the programmable processor to perform operations comprising:
    - selecting a document encryption key;
      
      encrypting a document with the document encryption key to produce an encrypted document;
      
      encrypting the document encryption key with the public key of the public/private keypair to produce an encrypted document encryption key; and
      
      transmitting the encrypted document and the encrypted document encryption key to a server.
  - 19. The computer-readable medium of claim 9, wherein the data and instructions are signed with a cryptographic signature.

20. A method comprising:
- transmitting an executable program to a browser at a client computer, the executable program containing instructions to cause the browser to perform operations including;
  
  a) opening a cache of usernames and passwords stored at the client computer;
  
  b) preparing a document-encryption key;
  
  c) encrypting contents of the cache using the document-encryption key;
  
  d) encrypting the document-encryption key using a public key of a public/private keypair; and
  
  e) transmitting the encrypted contents of the cache and the encrypted document-encryption key;
  
  receiving a the encrypted contents of the cache and the encrypted document-encryption key from the client computer; and
  
  storing the encrypted contents of the cache and the encrypted document-encryption key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
David H. Madden
Original Assignee
David H. Madden
Inventors
MADDEN, David H.

Granted Patent

US 8,862,889 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/179
CPC Class Codes

G06F 21/6218   to a system of files or obj...

H04L 63/0442   wherein the sending and rec...

H04L 63/061   for key exchange, e.g. in p...

H04L 9/0822   using key encryption key

H04L 9/0894   Escrow, recovery or storing...

Protocol for Controlling Access to Encryption Keys

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Protocol for Controlling Access to Encryption Keys

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links