Method and apparatus for secure distribution of public/private key pairs
First Claim
1. A method of securing a private key on a client-server network, comprising:
- accessing a first key-pair on a server processor, the first key-pair comprising a public key and a first encrypted private key corresponding to the public key, communicating the first encrypted private key to a client processor, decrypting the first encrypted private key at the client processor using a first key to produce the private key, encrypting the private key at the client processor using a second key to produce a second encrypted private key corresponding to the public key, communicating the second encrypted private key to the server processor, and storing the second encrypted private key corresponding to the public key at the server processor to facilitate a subsequent communication of the second encrypted private key to an other client processor.
8 Assignments
0 Petitions
Accused Products
Abstract
A list of public/private key pairs are stored at a server, wherein the private key is stored in an encrypted form, the encryption being based on a master key. To distribute a public/private key pair to a new user, an administrator who has access to the master key retrieves the next available public/private key pair from the server at a client processor that is convenient to both the administrator and the new user. At the client processor, the administrator decrypts the private key of the public/private key pair, using the master key, and provides both the public and private keys to the new user. The new user encrypts the private key, using a biometric or passphrase that is secret to the new user. The private key is immediately erased from the client processor upon encryption with the user'"'"'s biometric or passphrase key. The encrypted private key, the corresponding public key, and an identification of the new user are communicated to and stored at the server for subsequent access by the new user, and potentially others. By employing this technique, the private key is vulnerable to detection only within the client processor, and only for a brief period of time.
-
Citations
21 Claims
-
1. A method of securing a private key on a client-server network, comprising:
-
accessing a first key-pair on a server processor, the first key-pair comprising a public key and a first encrypted private key corresponding to the public key, communicating the first encrypted private key to a client processor, decrypting the first encrypted private key at the client processor using a first key to produce the private key, encrypting the private key at the client processor using a second key to produce a second encrypted private key corresponding to the public key, communicating the second encrypted private key to the server processor, and storing the second encrypted private key corresponding to the public key at the server processor to facilitate a subsequent communication of the second encrypted private key to an other client processor. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
removing the first encrypted private key from the server processor.
-
-
3. The method of claim 1, wherein
decrypting the first encrypted private key is based on a symmetric key cryptosystem. -
4. The method of claim 1, wherein
decrypting the first encrypted private key is based on an asymmetric key cryptosystem. -
5. The method of claim 1, wherein
encrypting the second encrypted private key is based on a symmetric key cryptosystem. -
6. The method of claim 1, wherein
encrypting the second encrypted private key is based on an asymmetric key cryptosystem. -
7. The method of claim 1, wherein
the first key-pair is stored in a list of available key-pairs on the server processor. -
8. The method of claim 1, further including
obtaining user information to produce the second key. -
9. The method of claim 8, wherein
the user information includes at least one of: - a biometric information, a password, and a passphrase.
-
10. The method of claim 1, further including
decrypting an encrypted first key at the client processor using an administrator key to produce the first key. -
11. The method of claim 10, wherein
the administrator key is based on at least one of: - a biometric information, a password, and a passphrase.
-
12. A client processor comprising:
-
a receiver that receives a first encrypted private key corresponding to a public key of a key-pair from a server processor, a decrypter that decrypts the first encrypted private key based on a first key to produce a private key corresponding to the public key, an encrypter that encrypts the private key based on a second key to produce a second encrypted private key, and a transmitter that transmits the second encrypted private key corresponding to the public key to the server processor to facilitate a retrieval of the second encrypted private key by an other client processor. - View Dependent Claims (13, 14, 15, 16)
an other decrypter that decrypts an encrypted first key based on an administrator key to produce the first key. -
14. The client processor of claim 13, wherein
the administrator key is based on at least one of: - a biometric information, a password, and a passphrase.
-
15. The client processor of claim 12, further including an input device that provides user information to produce the second key.
-
16. The client processor of claim 15, wherein
the user information includes at least one of: - a biometric information, a password, and a passphrase.
-
-
17. A server processor comprising
a storage device that provides a public key and a first encrypted private key corresponding to the public key, a transmitter, operably coupled to the storage device, that transmits the first encrypted private key to a client processor, a receiver, operably coupled to the storage device, that receives a second encrypted private key corresponding to the public key and communicates the second encrypted private key to the storage device to facilitate a transmission of the second encrypted private key to an other client processor.
Specification