Methods and apparatus for recovering keys

US 6,160,891 A
Filed: 10/20/1997
Issued: 12/12/2000
Est. Priority Date: 10/20/1997
Status: Expired due to Term

First Claim

Patent Images

1. A system for decrypting a key recovery file comprising an encrypted first key, the system comprising:

a first decryptor, having a first input operatively coupled to receive at least a portion of the key recovery file and a second input operatively coupled to receive a second key, the first decryptor for decrypting at least a portion of the portion of the key recovery file received responsive to the second key received to produce a first decrypted first key and for providing at an output the first decrypted first key;

a private information encoder having an input operatively coupled to receive a first set of private information, the private information encoder for encoding the first set of private information to produce encoded private information and for providing at an output the encoded private information; and

a second decryptor having a first input coupled to the first decryptor output for receiving the first decrypted first key and a second input coupled to the private information encoder output for receiving the encoded private information, the second decryptor for decrypting the first decrypted first key received at the second decryptor first input responsive to the encoded private information received at the second decryptor second input to produce the first key and for providing the first key at an output coupled to a system output.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A key such as a private key or key password of a private key is encrypted for storage, and may be decrypted if the private key becomes lost or unavailable. The key is encrypted by encoding, for example, by hashing, private information such as mother'"'"'s maiden name and social security number, and the result is used as a key to encrypt the private key using DES or another symmetric encryption technique. The encrypted key is again encrypted, for example using asymmetric encryption, using the public key of a trusted party such as the certificate authority that generated the private key. The result may be stored as a key recovery file by the principal of the private key or another party. To decrypt the key recovery file, the private key corresponding to the public key used to encrypt the key recovery file is used to decrypt the key recovery file, for example by asymmetric decryption. The result is symmetrically decrypted using a key obtained by encoding, for example, by hashing, the private information in the same manner as was used to encrypt the key. The result of this decryption is the key.

119 Citations

34 Claims

1. A system for decrypting a key recovery file comprising an encrypted first key, the system comprising:
- a first decryptor, having a first input operatively coupled to receive at least a portion of the key recovery file and a second input operatively coupled to receive a second key, the first decryptor for decrypting at least a portion of the portion of the key recovery file received responsive to the second key received to produce a first decrypted first key and for providing at an output the first decrypted first key;
  
  a private information encoder having an input operatively coupled to receive a first set of private information, the private information encoder for encoding the first set of private information to produce encoded private information and for providing at an output the encoded private information; and
  
  a second decryptor having a first input coupled to the first decryptor output for receiving the first decrypted first key and a second input coupled to the private information encoder output for receiving the encoded private information, the second decryptor for decrypting the first decrypted first key received at the second decryptor first input responsive to the encoded private information received at the second decryptor second input to produce the first key and for providing the first key at an output coupled to a system output.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. The system of claim 1 additionally comprising:
    - a private information storage for storing a second set of private information, and for providing at an output coupled to the private information encoder input at least a portion of the second set of the private information stored responsive to a first index received at an input.
  - 3. The system of claim 2, additionally comprising a private information compare having a first input coupled to the private information storage output for receiving the portion of the second set of private information and a second input operatively coupled to receive a third set of private information, the private information compare for comparing the portion of the second set of private information received at the private information compare first input and the third set of private information received at the private information compare second input and providing at an output coupled to the private information encoder input one selected from the portion of the second set of private information and the third set of private information responsive to the portion of the second set of private information received at the private information compare first input equivalent to the third set of private information received at the private information compare second input.
  - 4. The system of claim 3 wherein the private information compare comprises an override input having a first state and a second state and the private information compare additionally provides at the private information compare output the portion of the second set of private information responsive to the override input in the first state.
  - 5. The system of claim 2, wherein:
    - the first key is one selected from a key password of a private key and a private key;
      
      the first index is a public key; and
      
      the private key is capable of use for decrypting information encrypted using the public key.
  - 6. The system of claim 1 wherein:
    - the private information encoder comprises a hasher having an input coupled to the private information encoder input to receive at least a portion of the private information, the hasher for hashing the private information received at the hasher input to produce hashed private information, and for providing the hashed private information at an output coupled to the private information encoder output; and
      
      the encoded private information comprises the hashed private information.
  - 7. The system of claim 6, wherein the hasher comprises a SHA-1 hasher having an input coupled to the hasher input to receive at least a portion of the private information, the SHA-1 hasher for SHA-1-hashing the private information received at the SHA-1 hasher input to produce and provide at an output coupled to the hasher output the SHA-1-hashed private information;
    - andthe encoded private information comprises the SHA-1-hashed private information.
  - 8. The system of claim 6, wherein the hasher comprises a MD-5 hasher having an input coupled to the hasher input to receive at least a portion of the private information, the MD-5 hasher for MD-5-hashing the private information received at the MD-5 hasher input to produce and provide at an output coupled to the hasher output the MD-5-hashed private information;
    - andthe encoded private information comprises the MD-5-hashed private information.
  - 9. The system of claim 1 wherein:
    - the second decryptor comprises a DES decryptor having a first input coupled to the second decryptor first input for receiving the first decrypted first key, a second input coupled to the second decryptor second input for receiving the encoded private information, the DES decryptor for DES decrypting the first decrypted first key received at the DES decryptor second input responsive to the encoded private information received at the DES decryptor second input to produce a DES-decrypted first key, and for providing at an output coupled to the second decryptor output the DES-decrypted first key; and
      
      the first decrypted first key comprises the DES-decrypted first key.
  - 10. The system of claim 1 wherein the second key is a private key.
  - 11. The system of claim 10 wherein:
    - the first key is one selected from a key password of a private key generated by a certificate authority and a private key generated by a certificate authority; and
      
      the second key is a private key of the certificate authority.
  - 12. The system of claim 1 wherein:
    - the first decryptor comprises an asymmetric decryptor having a first input coupled to the first decryptor first input to receive at least a portion of the key recovery file and a second input coupled to the first decryptor second input to receive the second key, the asymmetric decryptor for asymmetrically decrypting the key recovery file responsive to the second key to produce an asymmetrically decrypted key recovery file, and for providing at the output the asymmetrically decrypted key recovery file; and
      
      the first decrypted first key comprises the asymmetrically decrypted first key.

13. A method of decrypting a key recovery file comprising an encrypted first key, the method comprising:
- receiving at least a portion of the key recovery file;
  
  receiving a second key;
  
  using a first decryptor, decrypting the portion of the key recovery file received responsive to the second key received;
  
  receiving a first set of private information;
  
  encoding the first set of private information received; and
  
  using a second decryptor, and responsive to the first set of private information encoded, decrypting the portion of the key recovery file.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. The method of claim 13 wherein the receiving private information step comprises:
    - providing an index; and
      
      receiving the first set of private information responsive to the index provided.
  - 15. The method of claim 14, wherein:
    - the receiving private information step additionally comprises receiving an index;
      
      the index provided comprises at least a portion of the index received; and
      
      the index received comprises a public key.
  - 16. The method of claim 14 additionally comprising the steps of:
    - receiving a second set of private information;
      
      comparing the first set of private information received with the second set of private information received; and
      
      wherein the encoding step and the step of decrypting the key recovery file responsive to the first set of private information encoded are responsive to the first set of private information received being equivalent to the second set of private information received.
  - 17. The method of claim 13 wherein the encoding step comprises hashing the first set of private information received using a hash function.
  - 18. The method of claim 17 wherein the hash function is one selected from SHA-1 and MD-5.
  - 19. The method of claim 13, wherein the decrypting step comprises DES decrypting the key recovery file decrypted using the encoded first set of private information as a decryption key.
  - 20. The method of claim 13, wherein decrypting the key recovery file comprises asymmetrically decrypting the key recovery file using the second key received as a decryption key.
  - 21. The method of claim 13, wherein the second key is a private key.
  - 22. The method of claim 21 wherein:
    - the encrypted first key is produced from one selected from a key password of a first private key generated by a certificate authority and a first private key generated by a certificate authority; and
      
      the second key comprises a certificate authority private key.
  - 23. The method of claim 13 wherein the first decryptor and the second decryptor are the same decryptor.

24. A computer program product comprising a computer useable medium having computer readable program code embodied therein for decrypting a key recovery file comprising an encrypted first key, the computer program product comprising:
- computer readable program code devices configured to cause a computer to receive at least a portion of the key recovery file;
  
  computer readable program code devices configured to cause a computer to receive a second key;
  
  computer readable program code devices configured to cause a computer using a first decryptor to decrypt the portion of the key recovery file received responsive to the second key received;
  
  computer readable program code devices configured to cause a computer to receive a first set of private information;
  
  computer readable program code devices configured to cause a computer to encode the first set of private information received; and
  
  computer readable program code devices configured to cause a computer using a second decryptor to, responsive to the first set of private information encoded, decrypt the portion of the key recovery file.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 25. The computer program product of claim 24 wherein the computer readable program code devices configured to cause a computer to receive private information comprise:
    - computer readable program code devices configured to cause a computer to provide an index; and
      
      computer readable program code devices configured to cause a computer to receive the first set of private information responsive to the index provided.
  - 26. The computer program product of claim 25, wherein:
    - the computer readable program code devices configured to cause a computer to receive private information step additionally comprise computer readable program code devices configured to cause a computer to receive an index;
      
      the index provided comprises at least a portion of the index received; and
      
      the index received comprises a public key.
  - 27. The computer program product of claim 26 additionally comprising:
    - computer readable program code devices configured to cause a computer to receive a second set of private information;
      
      computer readable program code devices configured to cause a computer to compare the first set of private information received with the second set of private information received; and
      
      wherein the computer readable program code devices configured to cause a computer to encode the first set of private information and decrypt the key recovery file responsive to the first set of private information encoded are responsive to the first set of private information received being equivalent to the second set of private information received.
  - 28. The computer program product of claim 24 wherein the computer readable program code devices configured to cause a computer to encode comprise computer readable program code devices configured to cause a computer to hash the first set of private information received using a hash function.
  - 29. The computer program product of claim 28 wherein the hash function one selected from is SHA-1 and MD-5.
  - 30. The computer program product of claim 24, wherein the computer readable program code devices configured to cause a computer to decrypt comprise computer readable program code devices configured to cause a computer to DES decrypt the key recovery file decrypted using the encoder first set of private information encoded as a decryption key.
  - 31. The computer program product of claim 24, wherein computer readable program code devices configured to cause a computer to decrypt the key recovery file comprise computer readable program code devices configured to cause a computer to asymmetrically decrypt the key recovery file using the second key received as a decryption key.
  - 32. The computer program product of claim 24, wherein the second key is a private key.
  - 33. The computer program product of claim 32 wherein:
    - the encrypted first key is produced from one selected from a key password of a first private key generated by a certificate authority and a first private key generated by a certificate authority; and
      
      the second key comprises a certificate authority private key.
  - 34. The computer program product of claim 24 wherein the first decryptor and the second decryptor are the same decryptor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle America, Inc. (Oracle Corporation)
Original Assignee
Sun Microsystems Incorporated (Oracle Corporation)
Inventors
Al-Salqan, Yahya Y
Primary Examiner(s)
Hayes, Gail O.
Assistant Examiner(s)
SONG, HOSUK

Application Number

US08/954,170
Time in Patent Office

1,149 Days
Field of Search

380/21, 380/25, 380/30, 380/4, 380/281, 380/282, 380/286, 380/278, 380/44, 380/277, 380/279, 713/184, 713/165
US Class Current

380/286
CPC Class Codes

H04L 9/0643   Hash functions, e.g. MD5, S...

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0894   Escrow, recovery or storing...

Methods and apparatus for recovering keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

119 Citations

34 Claims

Specification

Use Cases

Quick Links

Others

Methods and apparatus for recovering keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

119 Citations

34 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others