Method and apparatus for offline cryptographic key establishment
First Claim
1. An apparatus for establishment of a trust relationship between first and second security appliances which are communicatively connected over an insecure medium, comprising:
- a module for generating a verifier code in the first security appliance in response to an input by a first user operatively connected to the first security appliance, wherein the first and second security appliances are configured to transparently encrypt data en route to one or more storage devices operatively connected to the first and second security appliances;
the first security appliance associated with the first user for generating a trust establishment package (TEP) and for forwarding the verifier code to a second user via the insecure medium in the TEP;
an offline channel over which the first user can communicate the TEP a second time to the second user in response to communicating the verifier code via the insecure medium;
the second security appliance associated with the second user configured to upload the TEP received from the first user via the insecure medium; and
wherein the trust establishment package is authentic when the verifier code in the TEP received from the first user via the offline channel is the same as the verifier code received from the first user via the insecure medium, andwherein neither the first security appliance nor the second security appliance have to share all keys associated with the first and second security appliances to establish the trust relationship.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention provides an authentication scheme that allows networked devices to establish trust in connection with the exchange of keys pursuant to an asymmetrical cryptographic technique, such as Diffie-Hellman. The invention provides a technique, referred to as offline key establishment, that establishes a trust relationship between two networked devices that use Diffie-Helman. Offline key sharing provides for the exchange of authentication information using a separate channel which, in the preferred embodiment does not constitute an IP connection. Thus, while communications between networked devices may ultimately proceed via a network connection, trust between the networked devices is established via a separate, offline channel, such as a telephone call or email message. The use of offline key establishment allows for such features as one way key sharing; and addresses situations where one party to the exchange does not want to share all of his keys, but just one or two keys.
53 Citations
8 Claims
-
1. An apparatus for establishment of a trust relationship between first and second security appliances which are communicatively connected over an insecure medium, comprising:
-
a module for generating a verifier code in the first security appliance in response to an input by a first user operatively connected to the first security appliance, wherein the first and second security appliances are configured to transparently encrypt data en route to one or more storage devices operatively connected to the first and second security appliances; the first security appliance associated with the first user for generating a trust establishment package (TEP) and for forwarding the verifier code to a second user via the insecure medium in the TEP; an offline channel over which the first user can communicate the TEP a second time to the second user in response to communicating the verifier code via the insecure medium; the second security appliance associated with the second user configured to upload the TEP received from the first user via the insecure medium; and wherein the trust establishment package is authentic when the verifier code in the TEP received from the first user via the offline channel is the same as the verifier code received from the first user via the insecure medium, and wherein neither the first security appliance nor the second security appliance have to share all keys associated with the first and second security appliances to establish the trust relationship. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
Specification
-
- Resources
-
Current AssigneeNetApp, Inc.
-
Original AssigneeNetApp, Inc.
-
InventorsSubramanian, Ananthan, Chang, Lawrence, Sussland, Robert, Silberman, Joshua
-
Primary Examiner(s)GEE, JASON KAI YIN
-
Application NumberUS11/532,468Time in Patent Office1,747 DaysField of Search726/5, 726/7, 713/168US Class Current726/5CPC Class CodesG06F 21/606 by securing the transmissio...G06F 2221/2107 File encryptionH04L 63/0442 wherein the sending and rec...H04L 63/08 for authentication of entit...
