Secure distribution of private keys to multiple clients
First Claim
1. A method of securely communicating a private key of a cryptographic key pair from a remote server to a client computer over a network comprising:
- receiving a login name and a password from a user;
applying a first hashing function to the password and a first random number stored on the client computer to produce a first hash value;
applying a second hashing function to the password and a second random number stored on the client computer to produce a second hash value, the first random number being different than the second random number;
sending the login name and the first hash value to the remote server;
receiving an encrypted private key from the remote server in response, the private key being encrypted using a symmetric encryption process; and
decrypting the received encrypted private key using the second hash value as a symmetric key.
1 Assignment
0 Petitions
Accused Products
Abstract
A private key may be securely distributed to a user of a remote client computer over an insecure channel. The user'"'"'s private key is transmitted to the client from a remote server in an encrypted format. A first hash of the user'"'"'s password is transmitted to the remote server and is used to authenticate the user. A second hash of the user'"'"'s password remains with the client computer and is used to decrypt the user'"'"'s private key. The user only has to remember one login name and a single associated password. Thus, the private key can be securely distributed from the remote server to the client computer system. The distribution does not require the user to carry any special hardware devices and only requires a single password. Because the private key is not permanently stored at the client computers, even if an unauthorized user has access to the client computers, they are not likely to be able to obtain the private key. Similarly, because the remote server only has access to an encrypted version of the private key, and because the remote server does not store and has no way of uncovering the user'"'"'s password, the remote server, even if broken in to, is not likely to compromise the user'"'"'s private key.
-
Citations
32 Claims
-
1. A method of securely communicating a private key of a cryptographic key pair from a remote server to a client computer over a network comprising:
-
receiving a login name and a password from a user;
applying a first hashing function to the password and a first random number stored on the client computer to produce a first hash value;
applying a second hashing function to the password and a second random number stored on the client computer to produce a second hash value, the first random number being different than the second random number;
sending the login name and the first hash value to the remote server;
receiving an encrypted private key from the remote server in response, the private key being encrypted using a symmetric encryption process; and
decrypting the received encrypted private key using the second hash value as a symmetric key. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. An article comprising:
- a computer-readable medium storing instructions, that when executed by a processor, cause the secure communication of a private key of a cryptographic key pair from a remote server to a client computer over a network by
receiving a login name and a password from a user;
applying a first hashing function to the password and a first random number stored on the client computer to produce a first hash value;
applying a second hashing function to the password and a second random number stored on the client computer to produce a second hash value, the first random number and the second random number being different fixed random numbers;
sending the login name and the first hash value to the remote server;
receiving an encrypted private key from the remote server in response, the private key being encrypted using a symmetric encryption process; and
decrypting the received encrypted private key using the second hash value as a symmetric key. - View Dependent Claims (9, 10, 11, 12, 13, 14)
- a computer-readable medium storing instructions, that when executed by a processor, cause the secure communication of a private key of a cryptographic key pair from a remote server to a client computer over a network by
-
15. A client computer system comprising:
-
a processor; and
a memory coupled to the processor, the memory storing a first random number;
a second random number, the first random number and the second random number being different fixed random numbers;
a first hashing function to produce a first hash value based at least in part on a password received from a user and the first random number, and to send the first hash value and a user'"'"'s login name to a remote server;
a second hashing function to produce a second hash value based at least in part on the password and the second random number; and
a decryption function to receive an encrypted private key from a remote server in response to the sending of the first hash value and the user'"'"'s login name, and to decrypt the received encrypted private key using the second hash value as a symmetric key. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A method comprising:
-
receiving a user'"'"'s login name and a password;
applying a first hashing function to the password and a first random number to produce a first hash value;
applying a second hashing function to the password and a second random number to produce a second hash value, the first random number and the second random number being different fixed random numbers;
encrypting a private key of a cryptographic key pair associated with the user using the second hash value as a symmetric key; and
storing the user'"'"'s login name, the first hash value, and the encrypted private key in an entry in a data structure. - View Dependent Claims (21, 22)
receiving the user'"'"'s login name and the first hash value from a client computer system;
determining if the received login name and received first hash value match an entry in the data structure; and
sending the encrypted private key from the entry to the client computer system when the received login name and received first hash value match the entry.
-
-
22. The method of claim 20, further comprising generating the cryptographic key pair associated with the user prior to encrypting the private key.
-
23. An article comprising:
- a computer-readable medium storing instructions, that when executed by a processor, cause
receiving a user'"'"'s login name and a password;
applying a first hashing function to the password and a first random number to produce a first hash value;
applying a second hashing function to the password and a second random number to produce a second hash value, the first random number and the second random number being different fixed random numbers;
encrypting a private key of a cryptographic key pair associated with the user using the second hash value as a symmetric key; and
storing the user'"'"'s login name, the first hash value, and the encrypted private key in an entry in a data structure. - View Dependent Claims (24, 25)
receiving the user'"'"'s login name and the first hash value from a client computer system; determining if the received login name and received first hash value match an entry in the data structure; and
sending the encrypted private key from the entry to the client computer system when the received login name and received first hash value match the entry.
- a computer-readable medium storing instructions, that when executed by a processor, cause
-
25. The article of claim 23, further comprising instructions for generating the cryptographic key pair associated with the user prior to encrypting the private key.
-
26. A server system comprising:
-
a data structure storing a plurality of entries, each entry including a user login name, a first hash value, and an encrypted private key; and
a cryptographic component coupled to the data structure, to generate the first hash value by applying a first hash function to a user'"'"'s password corresponding to the user login name and a first random number, to generate a second hash value by applying a second hash function to the user'"'"'s password and a second random number, the first random number and the second random number being different fixed random numbers, to encrypt a private key of a cryptographic key pair for the user using a second hash value as a symmetric key, to store the user login name, the first hash value, and the encrypted private key in an entry in the data structure, to receive a request to retrieve the encrypted private key from a client computer system, the request including the user login name and the first hash value, to compare the received user login name and the received first hash value to entries in the data structure, and to send the encrypted private key to the client computer system from an entry in the data structure when the received user login name and the received first hash value match the user login name and first hash value of the entry. - View Dependent Claims (27, 28, 29, 30, 31)
-
-
32. A system comprising:
-
a remote server including a data structure storing a plurality of entries, each entry including a user login name, a first hash value, and an encrypted private key; and
a cryptographic component coupled to the data structure, to generate the first hash value by applying a first hash function to a user'"'"'s password corresponding to the user login name and a first random number, to generate a second hash value by applying a second hash function to the user'"'"'s password and a second random number, the first random number and the second random number being different fixed random numbers, to encrypt a private key of a cryptographic key pair for the user using the second hash value as a symmetric key, to store the user login name, the first hash value, and the encrypted private key in an entry in the data structure, to receive a request to retrieve the encrypted private key, the request including the user login name and the first hash value, to compare the received user login name and the received first hash value to entries in the data structure, and to send the encrypted private key from an entry in the data structure when the received user login name and the received first hash value match the user login name and first hash value of the entry; and
a plurality of client computer systems coupled to the remote server, each of the client computer systems including a processor; and
a memory coupled to the processor, the memory storing the first random number;
the second random number;
the first hashing function to produce the first hash value based at least in part on a password received from the user and the first random number, and to send the first hash value and the user'"'"'s login name to the remote server;
the second hashing function to produce the second hash value based at least in part on the password and the second random number; and
a decryption function to receive the encrypted private key from the remote server in response to the sending of the first hash value and the user'"'"'s login name, and to decrypt the received encrypted private key using the second hash value as a symmetric key.
-
Specification