Method and system of securely escrowing private keys in a public key infrastructure

US 6,931,133 B2
Filed: 09/03/2002
Issued: 08/16/2005
Est. Priority Date: 09/03/2002
Status: Expired due to Term

First Claim

Patent Images

1. A method for escrowing a private key in a public key infrastructure, comprising:

creating a key pair including a private key and a public key;

creating a session key;

encrypting the private key using the session key;

creating a session key mask;

storing the encrypted private key and the session key mask;

creating a masked session key by exclusive-ORing the session key and the session key mask;

deleting the session key; and

sending the masked session key and a digital certificate to a secondary site.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of restricting access to private keys in a public key infrastructure provides for storage of an encrypted private key at a primary site. A masked session key is stored at a secondary site, where the masked session key enables recovery of the private key. By using distributed storage architecture for recovery data, simplification can be achieved without sacrificing security.

Citations

26 Claims

1. A method for escrowing a private key in a public key infrastructure, comprising:
- creating a key pair including a private key and a public key;
  
  creating a session key;
  
  encrypting the private key using the session key;
  
  creating a session key mask;
  
  storing the encrypted private key and the session key mask;
  
  creating a masked session key by exclusive-ORing the session key and the session key mask;
  
  deleting the session key; and
  
  sending the masked session key and a digital certificate to a secondary site.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - sending a key recovery request, including the digital certificate, to the secondary site;
      
      receiving the masked session key from the secondary site;
      
      recreating the session key by exclusive-ORing the masked session key and the session key mask; and
      
      recovering the private key by decrypting the encrypted private key using the recreated session key.
  - 3. The method of claim 1, wherein the session key is a symmetric key.
  - 4. The method of claim 1, wherein said creating the session key includes using a triple-data encryption standard and an initialization vector.
  - 5. The method of claim 1, wherein the session mask is a random string having a bit-length equal to the session key.
  - 6. The method of claim 1, wherein the session mask is a pseudo-random string having a bit-length equal to the session key.
  - 7. The method of claim 2, wherein the key recovery request includes a plurality of digital certificates.
  - 8. The method of claim 2, further comprising:
    - combining the decrypted private key with a corresponding key pair certificate.
  - 9. The method of claim 2, further comprising:
    - creating an audit trail at the secondary site associated with the key recovery request.

10. A computer readable medium including instructions adapted to be executed by a processor to perform a method for escrowing a private key in a public key infrastructure, the method comprising:
- creating a key pair including a private key and a public key;
  
  creating a session key;
  
  encrypting the private key using the session key;
  
  creating a session key mask;
  
  storing the encrypted private key and the session key mask;
  
  creating a masked session key by exclusive-ORing the session key and the session key mask;
  
  deleting the session key; and
  
  sending the masked session key and a digital certificate to a secondary site.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer readable medium of claim 10, wherein the method further comprises:
    - sending a key recovery request, including the digital certificate, to the secondary site;
      
      receiving the masked session key from the secondary site;
      
      recreating the session key by exclusive-ORing the masked session key and the session key mask; and
      
      recovering the private key by decrypting the encrypted private key using the recreated session key.
  - 12. The computer readable medium of claim 10, wherein the session key is a symmetric key.
  - 13. The computer readable medium of claim 10, wherein said creating the session key includes using a triple-data encryption standard and an initialization vector.
  - 14. The computer readable medium of claim 10, wherein the session mask is a random string having a bit-length equal to the session key.
  - 15. The computer readable medium of claim 10, wherein the session mask is a pseudo-random string having a bit-length equal to the session key.
  - 16. The computer readable medium of claim 11, wherein the key recovery request includes a plurality of digital certificates.
  - 17. The computer readable medium of claim 11, wherein the method further comprises:
    - combining the decrypted private key with a corresponding key pair certificate.
  - 18. The computer readable medium of claim 11, wherein the method further comprises:
    - creating an audit trail at the secondary site associated with the key recovery request.

19. A system for escrowing a private key in a public key infrastructure, comprising:
- a secondary site, coupled to the network, including a secondary database and a control center; and
  
  a primary site, coupled to a network, including a primary database and a key management server, adapted to;
  
  create a key pair including a private key and a public key, create a session key, encrypt the private key using the session key, create a session key mask, store the encrypted private key and the session key mask in the primary database, create a masked session key by exclusive-ORing the session key and the session key mask, delete the session key, and send the masked session key and a digital certificate to the secondary site for storage within the secondary database.
- View Dependent Claims (20, 21, 22, 23, 24, 25, 26)
- - 20. The system of claim 19, wherein the primary site is further adapted to:
    - send a key recovery request, including the digital certificate, to the secondary site;
      
      receive the masked session key from the secondary site;
      
      recreate the session key by exclusive-ORing the masked session key and the session key mask; and
      
      recover the private key by decrypting the encrypted private key using the recreated session key.
  - 21. The system of claim 19, wherein the session key is a symmetric key.
  - 22. The system of claim 19, wherein said creating the session key includes using a triple-data encryption standard and an initialization vector.
  - 23. The system of claim 19, wherein the session mask is a random string having a bit-length equal to the session key.
  - 24. The system of claim 19, wherein the session mask is a pseudo-random string having a bit-length equal to the session key.
  - 25. The system of claim 20, wherein the key recovery request includes a plurality of digital certificates.
  - 26. The system of claim 20, wherein the primary site is further adapted to:
    - combine the decrypted private key with a corresponding key pair certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
DigiCert Incorporated
Original Assignee
VeriSign, Inc.
Inventors
Huang, Zhiyong, Ruan, Tom Qi Xiong, Andrews, Richard F.
Primary Examiner(s)
Barrón, Jr., Gilberto
Assistant Examiner(s)
Lanier, Benjamin E.

Application Number

US10/232,624
Publication Number

US 20040042620A1
Time in Patent Office

1,078 Days
Field of Search

380/286
US Class Current

380/286
CPC Class Codes

H04L 2209/04 Masking or blinding

H04L 9/0894 Escrow, recovery or storing...

Method and system of securely escrowing private keys in a public key infrastructure

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system of securely escrowing private keys in a public key infrastructure

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links