ENCRYPTION KEY STORAGE

US 20130010966A1
Filed: 07/06/2011
Published: 01/10/2013
Est. Priority Date: 07/06/2011
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for encryption key storage comprising:

associating each of a plurality of identifiers with a different one of a plurality of key fragment stores;

determining a plurality of indexes, wherein each of the plurality of indexes is based upon a handle provided by a customer, an authorization token provided by the customer, and a different one of the plurality of identifiers;

partitioning an encryption key provided by the customer into a number of encryption key fragments; and

distributing the plurality of indexes and the number of encryption key fragments to the plurality of key fragment stores.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems, methods, and machine-readable and executable instructions are provided for encryption key storage. Encryption key storage may include associating each of a plurality of identifiers with a different one of a plurality of key fragment stores, determining a plurality of indexes, where each of the plurality of indexes is based upon a handle provided by a customer, an authorization token provided by the customer, and a different one of the plurality of identifiers, partitioning an encryption key provided by the customer into a number of encryption key fragments, and distributing the plurality of indexes and the number of encryption key fragments to the plurality of key fragment stores.

68 Citations

View as Search Results

15 Claims

1. A computer-implemented method for encryption key storage comprising:
- associating each of a plurality of identifiers with a different one of a plurality of key fragment stores;
  
  determining a plurality of indexes, wherein each of the plurality of indexes is based upon a handle provided by a customer, an authorization token provided by the customer, and a different one of the plurality of identifiers;
  
  partitioning an encryption key provided by the customer into a number of encryption key fragments; and
  
  distributing the plurality of indexes and the number of encryption key fragments to the plurality of key fragment stores.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1 wherein the number of encryption key fragments is a first number, n, and the encryption key is unobtainable without a second number, k, of the number of encryption key fragments such that n is greater than k.
  - 3. The method of claim 1 wherein the encryption key is partitioned with Shamir'"'"'s secret sharing algorithm.
  - 4. The method of claim 1 wherein each of the plurality of indexes is determined by applying a first hashing algorithm to a combination of the handle provided by the customer and the authorization token provided by the customer to generate a first uniquely coded value.
  - 5. The method of claim 4 wherein each of the plurality of indexes is determined by applying a second hashing algorithm to a combination of the first uniquely coded value and one of the plurality of identifiers.
  - 6. The method of claim 1 wherein distributing the plurality of indexes and the number of encryption key fragments includes distributing one or more of the plurality of indexes and one or more of the encryption key fragments to a particular key fragment store of the plurality of key fragment stores.
  - 7. The method of claim 1 further comprising receiving the handle provided by a customer and the authorization token provided by the customer to retrieve a quantity of the number of encryption key fragments.
  - 8. The method of claim 7 further comprising reconstructing the encryption key from the quantity of the number of encryption key fragments.
  - 9. The method of claim 8 further comprising providing the reconstructed encryption key to the customer.

10. A machine-readable non-transitory medium storing a set of instructions for encryption key storage executable by a machine to cause the machine to:
- receive an encryption key provided by a customer;
  
  determine a plurality of identifiers, where each of the plurality of identifiers is individually associated with a different one of a plurality of key fragment stores;
  
  apply a first hashing algorithm to a combination of a handle provided by a customer and an authorization token provided by the customer to generate a first uniquely coded value;
  
  apply a second hashing algorithm to a combination of the first uniquely coded value and individually each of the plurality of identifiers to provide a plurality of indexes;
  
  partition the encryption key into a number of encryption key fragments with Shamir'"'"'s secret sharing algorithm; and
  
  distribute one of the plurality of indexes and one of the number of encryption key fragments to a respective key fragment store of the plurality of key fragment stores such that each of the plurality of indexes and each of the number of encryption key fragments are distributed;
  
  store the distributed number of encryption key fragments in a number of the plurality of key fragment stores;
  
  receive the handle and the authorization token from the customer to retrieve encryption key fragments;
  
  reconstruct the encryption key from the retrieved encryption key fragments; and
  
  provide the reconstructed encryption key to the customer.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The machine-readable non-transitory medium of claim 10 including instructions executable by the machine to cause the machine to:
    - ensure that of a first number n of encryption key fragments at least a second number k of encryption key fragments are stored in a number k of the plurality of key fragment stores before closing a secured channel between the customer and a provider of the encryption key storage, wherein n is greater than k.
  - 12. The machine-readable non-transitory medium of claim 10 including instructions executable by the machine to cause the machine to:
    - employ a replication protocol to reconstruct a lost encryption key fragment within one of the plurality of key fragment stores.
  - 13. The machine-readable non-transitory medium of claim 10 including instructions executable by the machine to cause the machine to:
    - distribute one of the plurality of indexes and one of the number of encryption key fragments to a replacement key fragment store due to unavailability of the respective key fragment store of the plurality of key fragment stores; and
      
      mark the one of the plurality of indexes and one of the number of encryption key fragments with a transfer marker to indicate it as a guest fragment and record its location in the replacement key fragment store.
  - 14. The machine-readable non-transitory medium of claim 11 including instructions executable by the machine to cause the machine to:
    - scan the plurality of key fragment stores to identify the guest fragment; and
      
      transfer the guest fragment from the replacement key fragment store to an original destination.

15. A computing system for encryption key storage, comprising:
- a computing device including;
  
  a memory;
  
  a processor coupled to the memory, to;
  
  associate each of a plurality of identifiers with a different one of a plurality of key fragment stores;
  
  determine a plurality of indexes, wherein each of the plurality of indexes is based upon a handle provided by a customer, an authorization token provided by the customer, and a different one of the plurality of identifiers, wherein the authorization token is unknown to an encryption key storage provider;
  
  partition an encryption key provided by the customer into a first number, n, number of encryption key fragments with Shamir'"'"'s secret sharing, wherein the encryption key is unobtainable without a second number, k, of the number of encryption key fragments such that n is greater than k; and
  
  distribute the plurality of indexes and the number of encryption key fragments to the plurality of key fragment stores such that at least k encryption key fragments are distributed to a first geographic region and at least k encryption key fragments are distributed to one or more other geographic regions.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hewlett Packard Enterprise Development LP (Hewlett-Packard Enterprise Company)
Original Assignee
Hewlett-Packard Development Company, L.P. (HP Inc.)
Inventors
Li, Jun, Swaminathan, Ram, Singhal, Sharad

Granted Patent

US 8,917,872 B2
Time in Patent Office

Days
Field of Search
US Class Current

380/278
CPC Class Codes

H04L 9/085 Secret sharing or secret sp...

ENCRYPTION KEY STORAGE

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

15 Claims

Specification

Solutions

Use Cases

Quick Links

ENCRYPTION KEY STORAGE

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

15 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links