Methods and systems for key recovery for a token

US 7,822,209 B2
Filed: 06/06/2006
Issued: 10/26/2010
Est. Priority Date: 06/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method of recovering keys, comprising:

generating a key transport session key;

deriving, by a processor, a key encryption key based on a server master key and an identification associated with a token;

encrypting the key transport session key with the key encryption key as a first wrapped key transport session key;

retrieving an encrypted storage session key and an encrypted private key from an archive;

decrypting the encrypted storage session key with a server storage key as a storage session key;

decrypting the encrypted private key with the storage session key;

encrypting the decrypted private key with the key transport session key as a wrapped private key; and

forwarding the wrapped private key and the first wrapped key transport session key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, systems and computer readable mediums are provided for recovering keys. A key transport session key is generated, and a key encryption key is derived based on a server master key and an identification associated with a token. The key transport session key is encrypted with the key encryption key as a first wrapped key transport session key. An encrypted storage session key and an encrypted private key are retrieved from an archive. The encrypted storage session key is decrypted with a server storage key as a storage session key. The encrypted private key is decrypted with the storage session key. The decrypted private key is encrypted with the key transport session key as a wrapped private key. The wrapped private key and the first wrapped key transport session key are forwarded.

Citations

18 Claims

1. A method of recovering keys, comprising:
- generating a key transport session key;
  
  deriving, by a processor, a key encryption key based on a server master key and an identification associated with a token;
  
  encrypting the key transport session key with the key encryption key as a first wrapped key transport session key;
  
  retrieving an encrypted storage session key and an encrypted private key from an archive;
  
  decrypting the encrypted storage session key with a server storage key as a storage session key;
  
  decrypting the encrypted private key with the storage session key;
  
  encrypting the decrypted private key with the key transport session key as a wrapped private key; and
  
  forwarding the wrapped private key and the first wrapped key transport session key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising:
    - retrieving a server transport key and encrypting the key transport session key with the server transport key as a second wrapped key transport session key;
      
      forwarding the second wrapped key transport session key and the first wrapped key transport session key, and decrypting the second wrapped key transport session key.
  - 3. The method of claim 1, wherein the server master key is stored separately from the token.
  - 4. The method of claim 1, wherein the wrapped private key and the wrapped session key are forwarded to the token.
  - 5. The method of claim 1, further comprising:
    - retrieving at least one certificate associated with the token; and
      
      forwarding the at least one certificate.
  - 6. The method of claim 1, further comprising receiving a recovery request, wherein the generating and deriving are in response to the recovery request.
  - 7. The method of claim 1, further comprising, after the forwarding:
    - sending a challenge to the token;
      
      receiving a response to the challenge; and
      
      checking the accuracy of the response.
  - 8. The method of claim 1, further comprising, after the forwarding:
    - receiving a challenge; and
      
      sending a response to the challenge.
  - 9. An apparatus comprising:
    - a memory containing instructions; and
      
      a processor, coupled to the memory, that executes the instructions to perform the method of claim 1.
  - 10. A non-transitory computer-readable medium comprising computer instructions for implementing the method of claim 1.

11. A system for recovering keys, comprising:
- a security client configured to manage a token when connected to the token; and
  
  a security server computer configured to interface with the security client, the security server computer being configured to generate a key transport session key and derive a key encryption key based on a server master key and an identification associated with the token, encrypt the key transport session key with the key encryption key as a first wrapped key transport session key, retrieve a storage session key and an encrypted private key from an archive, decrypt the encrypted private key with the storage session key, encrypt the private key with the key transport session key as a wrapped private key, and forward the wrapped private key and the wrapped session key to the security client.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18)
- - 12. The system of claim 11, wherein the security server computer is further configured to:
    - connect to the token in accordance with the security client; and
      
      write the private key to the token.
  - 13. The system of claim 12, wherein the security client is further configured to participate in a challenge to the token, to confirm that the private key was written to the token.
  - 14. The system of claim 11, wherein the storage session key is encrypted, further comprising decrypting the storage session key with a server storage key.
  - 15. The system of claim 11, wherein the security server computer further comprises:
    - a token processing gateway configured to manage the interface between the security client and the security server computer;
      
      a key service module configured to interface with the token processing gateway;
      
      a certificate authority module configured to interface with the token processing gateway and to retrieve certificates; and
      
      an archive module configured to interface with the token processing gateway and configured to maintain a database of private keys, wherein the archive module is configured to store the private key.
  - 16. The system of claim 15, wherein the key service module is further configured to generate the key transport session key, to derive the key encryption key, and to encrypt the key transport session key with the key encryption key as the first wrapped key transport session key.
  - 17. The system of claim 15, wherein the archive module is further configured to retrieve the storage session key and the encrypted private key from the archive, decrypt the encrypted private key with the storage session key, encrypt the decrypted private key with the key transport session key, and forward the wrapped private key to the token processing gateway.
  - 18. The system of claim 15, wherein the token processing gateway is further configured to forward the wrapped private key and the first wrapped key transport session key to the token, to retrieve at least one certificate for the token, and to forward the at least one certificate to the token.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Fu, Christina, Parkinson, Steven William, Kwan, Nang Kon, Relyea, Robert
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/447,179
Publication Number

US 20070280483A1
Time in Patent Office

1,603 Days
Field of Search

380/281, 380/284, 380/286, 726/9, 713/185
US Class Current

380/284
CPC Class Codes

H04L 9/0822 using key encryption key

H04L 9/0897 involving additional device...

Methods and systems for key recovery for a token

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for key recovery for a token

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links