SECURING A SECRET OF A USER

US 20130212393A1
Filed: 11/11/2012
Published: 08/15/2013
Est. Priority Date: 02/13/2012
Status: Active Grant

First Claim

Patent Images

1. A method of securing a secret of a user, comprising:

receiving, by a user server, a secret from the user;

generating encrypted shares based on the secret, a policy, and a plurality of public keys;

providing the encrypted shares to a custodian server of a first custodian; and

verifying, by the custodian server, that the encrypted shares can be used to reconstitute the secret upon receiving the encrypted shares.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and apparatuses for securing a secret are disclosed. One method includes receiving a secret from the user and generating encrypted shares based on the secret, a policy, and a plurality of public keys. The encrypted shares are provided to a custodian, wherein the custodian verifies that the encrypted shares can be used to reconstitute the secret upon receiving the encrypted shares.

51 Citations

View as Search Results

24 Claims

1. A method of securing a secret of a user, comprising:
- receiving, by a user server, a secret from the user;
  
  generating encrypted shares based on the secret, a policy, and a plurality of public keys;
  
  providing the encrypted shares to a custodian server of a first custodian; and
  
  verifying, by the custodian server, that the encrypted shares can be used to reconstitute the secret upon receiving the encrypted shares.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 2. The method of claim 1, wherein generating the encrypted shares comprises:
    - generating a plurality of shares from the secret; and
      
      encrypting each share utilizing a corresponding one of the plurality of public keys.
  - 3. The method of claim 2, wherein verifying, by the custodian, that the encrypted shares can be used to reconstitute the secret upon receiving the encrypted shares comprises:
    - leveraging, by the first custodian, one-way cryptographic functions, wherein the first custodian can reconstruct the secret, but cannot obtain access to the secret or any of the shares.
  - 4. The method of claim 1, further comprising a plurality of adjudicators, wherein each of the plurality of public keys has a corresponding at least one adjudicator of the plurality of adjudicators, and a corresponding secret key.
  - 5. The method of claim 4, further comprising escrowing the corresponding secret key of one or more of the plurality of public keys.
  - 6. The method of claim 5, wherein escrowing the corresponding secret key comprises:
    - generating, encrypted shares based on the corresponding secret key, a policy, and a plurality of public keys;
      
      providing the encrypted shares to a second custodian.
  - 7. The method of claim 5, wherein escrowing the corresponding secret key comprises:
    - generating, encrypted shares based on the corresponding secret key, a policy, and a plurality of public keys;
      
      splitting the encrypted shares; and
      
      providing the split encrypted shares between more than one custodian.
  - 8. The method of claim 6, wherein the first custodian and the second custodian are part of a common network.
  - 9. The method of claim 4, further comprising monitoring a loss of one or more of the plurality adjudicators.
  - 10. The method of claim 9, further comprising providing the user with an early warning if the loss of adjudicators exceeds a threshold, thereby allowing the user to select new or different adjudicators.
  - 11. The method of claim 1, wherein generating the encrypted shares based on the secret, a policy, and one or more public keys, is performed within a trust boundary.
  - 12. The method of claim 1, wherein the custodian comprises a cloud network.
  - 13. The method of claim 1, wherein verifying, by the first custodian, that the encrypted shares can be used to reconstitute the secret is based upon the encrypted shares received by the custodian, the public keys and the policy.
  - 14. The method of claim 1, wherein the given condition comprises an event or a combination of events.
  - 15. The method of claim 1, wherein approved parties can decrypt the shares, wherein approved parties comprise parties who have access to the encrypted shares.
  - 16. The method of claim 1, wherein approved parties can decrypt the shares, wherein approved parties comprise parties who have secret keys that can decrypt the encrypted shares.
  - 17. The method of claim 1, wherein the first custodian receives the encrypted shares, but cannot decrypt the secret shares.
  - 18. The method of claim 1, further comprising:
    - receiving a user name, a number n of security questions, and a threshold value k from the user;
      
      generating for each of the n security questions, key pairs SKi, PKi for encryption of subsequently created secret shares derived from the secret;
      
      receiving N distinct questions Q[1] . . . Q[n] along with corresponding answers A[1] . . . A[n] to the N distinct questions Q[1] . . . Q[n] from the user;
      
      whereingenerating the encrypted shares comprises;
      
      deriving symmetric encryption keys KA[i] based on each of the answers;
      
      encrypting each of the key pairs SKi, PKi based on a corresponding symmetric encryption key KA[i], to obtain encrypted keys ESK[1] . . . ESK[n].
  - 19. The method of claim 18, wherein providing the encrypted shares to the first custodian comprises:
    - uploading the encrypted keys ESK[1] . . . ESK[n] and the distinct questions Q[1] . . . Q[n] to the custodian; and
      
      whereinverifying comprises;
      
      generating secret shares SS[1] . . . SS[n];
      
      generating encrypted shares ESS[i] by encrypting each secret share SS[1] . . . SS[n] using the corresponding public key PKi;
      
      uploading the encrypted share ESS[1] . . . ESS[n];
      
      generating an asymmetric key pair (PK, SK); and
      
      obtaining an encrypted asymmetric key ESK by encrypting the secret key SK using an symmetric encryption key PWD_K derived from a passphrase password as specified by a user; and
      
      uploading the encrypted asymmetric key ESK.
  - 20. The method of claim 19, further comprising:
    - prompting the user to select and provide answers A′
      
      [1] . . . A′
      
      [k] to the k security questions Q[1] . . . Q[k];
      
      downloading, by the user device, encrypted shares ESS[1] . . . ESS[k] and encrypted keys ESK[1] . . . ESK[k];
      
      deriving keys KA[1] . . . KA[k] from the provided answers A′
      
      [1] . . . A′
      
      [k];
      
      (an incorrect answer yields an incorrect key)attempting to decrypt ESK[1] . . . ESK[k] using the keys KA[1] . . . KA[k];
      
      obtaining the secret keys SK[1] . . . SK[k];
      
      decrypting the encrypted shares ESS[1] . . . ESS[k] using the secret keys SK[1] . . . SK[k];
      
      obtaining the secret shares SS[1] . . . SS[k] based on the encrypted shares ESS[1] . . . ESS[k];
      
      recovery the password or the symmetric encryption key PWD_K using the secret shares SS[1] . . . SS[k] if the provided answers A′
      
      [1] . . . A′
      
      [k] are correct.
  - 21. The method of claim 20, wherein if the provided answers are determine not to be correct, the prompting the user for a new set of k security questions and answers.
  - 22. The method of claim 20, wherein if the provided answers are determine to be correct, than allowing the user to change the secret.

23. A system for securing a secret, comprising:
- a user server operative to;
  
  receive a secret from the user;
  
  generate encrypted shares based on the secret, a policy, and a plurality of public keys; and
  
  provide the encrypted shares to a custodian server;
  
  whereinthe custodian server verifies that the encrypted shares can be used to reconstitute the secret upon receiving the encrypted shares.

24. A custodian server operating a cloud connect service, the custodian server operative to:
- receive encrypted shares from a user server, wherein the encrypted shares based on a secret, a policy, and a plurality of public keys, an wherein the secret is received from a user of the user device; and
  
  verify that the encrypted shares can be used to reconstitute the secret upon receiving the encrypted shares.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
AlephCloud Systems, Inc.
Original Assignee
AlephCloud Systems, Inc.
Inventors
D'Souza, Roy Peter

Granted Patent

US 8,731,203 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/171
CPC Class Codes

H04L 63/061   for key exchange, e.g. in p...

H04L 63/064   Hierarchical key distributi...

H04L 63/0823   using certificates cryptogr...

H04L 63/107   wherein the security polici...

H04L 9/085   Secret sharing or secret sp...

H04L 9/088   Usage controlling of secret...

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

H04L 9/30   Public key, i.e. encryption...

H04L 9/321   involving a third party or ...

SECURING A SECRET OF A USER

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

24 Claims

Specification

Solutions

Use Cases

Quick Links

SECURING A SECRET OF A USER

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

24 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links