System and method for key recovery
First Claim
1. A method of providing access to a resource on a server, the method comprising:
- receiving, by a password manager agent executing on a server, a first authenticator for a user;
encrypting, by the password manager agent using a first key, in response to receipt of the first authenticator, a user credential required for access to at least one resource;
destroying the first key;
receiving, by the password manager agent subsequent to the destruction of the first key, a second authenticator used to authenticate the user;
receiving, by the server, a request from the user to access the at least one resource;
regenerating, by the password manager agent, the first key following validation of the identity of the user;
decrypting the encrypted user credential using the regenerated first key;
providing the decrypted user credential to the at least one resource;
encrypting the user credential using a second key created following the receipt of the second authenticator; and
destroying the second key.
8 Assignments
0 Petitions
Accused Products
Abstract
A secure mechanism for transparent key recovery for a user who has changed authentication information is disclosed. A password manager agent intercepts requests by a user to access secure resources that require user credentials. Upon detecting changed authentication information for the user, the password manager agent automatically regenerates the components of a cryptographic key associated with the user that was previously used to encrypt user credentials for the user and then destroyed. After regeneration of the original cryptographic key, the password manager agent uses the key to decrypt the user credentials necessary for the requested application. The regenerated key is then destroyed and the user credentials are re-encrypted by the password manager agent using a new cryptographic key associated with the user made up of multiple components. Following the re-encryption of the user credentials, the components used to assemble the new key are securely stored in multiple locations and the new key is destroyed.
-
Citations
32 Claims
-
1. A method of providing access to a resource on a server, the method comprising:
-
receiving, by a password manager agent executing on a server, a first authenticator for a user; encrypting, by the password manager agent using a first key, in response to receipt of the first authenticator, a user credential required for access to at least one resource; destroying the first key; receiving, by the password manager agent subsequent to the destruction of the first key, a second authenticator used to authenticate the user; receiving, by the server, a request from the user to access the at least one resource; regenerating, by the password manager agent, the first key following validation of the identity of the user; decrypting the encrypted user credential using the regenerated first key; providing the decrypted user credential to the at least one resource; encrypting the user credential using a second key created following the receipt of the second authenticator; and destroying the second key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
-
-
16. A system for providing secure access to a resource on a server, comprising:
-
a password management agent executing on a server, the password manager agent detecting a user request to access a secure resource from a user and determining the authenticator associated with the user has changed subsequent to the encryption of a user credential required to access the requested secure resource; a first key used to encrypt the user credential required to access the requested secure resource, the first key generated from a plurality of cryptographically strong components, destroyed after encrypting the user credential, and regenerated following the detection by the password manager agent of the user request; and a second key used to encrypt the user credential subsequent to the decryption of the user credential using the regenerated key, the second key generated from a plurality of cryptographically strong components and destroyed after encrypting the user credential. - View Dependent Claims (17, 18, 19, 20, 21, 22)
-
-
23. An article of manufacture having embodied thereon computer-readable program means for providing access to a secure resource on the server, the article of manufacture comprising:
-
computer-readable program means for receiving, by a password manager agent executing on a server, a first authenticator for a user; computer-readable program means for encrypting, by the password manager agent using a first key, in response to receipt of the first authenticator, a user credential required for access to at least one resource; computer-readable program means for destroying the first key; computer-readable program means for receiving, by the password manager agent subsequent to the destruction of the first key, a second authenticator used to authenticate the user; computer-readable program means for receiving, by the server, a request from the user to access the at least one resource; computer-readable program means for regenerating, by the password manager agent, the first key following validation of the identity of the user; computer-readable program means for decrypting the encrypted user credential using the regenerated first key; computer-readable program means for providing the decrypted user credential to the at least one resource; computer-readable program means for encrypting the user credential using a second key created following the receipt of the second authenticator; and computer-readable program means for destroying the second key. - View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
-
Specification