System and method for securely storing cryptographic keys with encrypted data

US 8,037,319 B1
Filed: 06/30/2006
Issued: 10/11/2011
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

reading a first cryptographic key from a first storage device;

using the first cryptographic key to decrypt a first set of information stored on a second storage device, whereinthe second storage device is separate from the first storage device,the first set of information stored on the second storage device comprisesat least a portion of a second cryptographic key, andinformation usable to decrypt an additional portion of the second cryptographic key, andthe second cryptographic key is usable to decrypt user information stored on the first storage device.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The payload of a set of storage devices is encrypted using a payload key that is stored within the set of storage devices itself. However, the payload key is obtainable only if a user has access to n of the storage devices. A first set of keys can be distributed among a set of n storage devices, such that each key is usable to encrypt and/or decrypt a key stored on a different one of the n storage devices. The first set of keys is usable to encrypt portions of the information needed to regenerate another key (e.g., the payload key or a key used to encrypt the payload key). A different portion of the information needed to regenerate the other key is stored on each of the n storage devices. Accordingly, the other key cannot be obtained unless the user has access to all n storage devices.

Citations

23 Claims

1. A method comprising:
- reading a first cryptographic key from a first storage device;
  
  using the first cryptographic key to decrypt a first set of information stored on a second storage device, whereinthe second storage device is separate from the first storage device,the first set of information stored on the second storage device comprisesat least a portion of a second cryptographic key, andinformation usable to decrypt an additional portion of the second cryptographic key, andthe second cryptographic key is usable to decrypt user information stored on the first storage device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, whereina total of n storage devices must be accessed in order to obtain the cryptographic key usable to decrypt the user information stored on the first storage device, wherein n is a number larger than three.
  - 3. The method of claim 1, further comprising:
    - reading an unencrypted cryptographic key from a set of information stored on a third storage device; and
      
      using the unencrypted cryptographic key to decrypt a first set of information stored on the first storage device, prior to reading the first cryptographic key from the first storage device.
  - 4. The method of claim 1, further comprising:
    - reading a first portion of a third cryptographic key from a first set of information stored on the first storage device; and
      
      reading a second portion of the third cryptographic key from the first set of information stored on the second storage device.
  - 5. The method of claim 4, further comprising:
    - using the third cryptographic key to decrypt user information stored on at least one of the first storage device and the second storage device.
  - 6. The method of claim 4, further comprising:
    - using the third cryptographic key to decrypt a second set of information stored on the first storage device and a second set of information stored on the second storage device, whereinthe second set of information stored on the first storage device comprises a first portion of a fourth cryptographic key, andthe second set of information stored on the second storage device comprises a second portion of the fourth cryptographic key.
  - 7. The method of claim 6, further comprising:
    - using the fourth cryptographic key to decrypt user information stored on at least one of the first storage device and the second storage device.
  - 8. The method of claim 1, wherein the first storage device is one of:
    - a tape storage device, a hard drive, or an optical disc.
  - 9. The method of claim 1, further comprising:
    - decrypting, based at least in part on the second cryptographic key, a second set of information, whereinthe second set of information comprises the cryptographic key usable to decrypt the user information stored on the first storage device; and
      
      decrypting, based at least in part on the cryptographic key usable to decrypt the user information stored on the first storage device, the user information stored on the first storage device.
  - 10. The method of claim 1, wherein:
    - the second cryptographic key is necessary to obtainthe cryptographic key usable to decrypt the user information stored on the first storage device.
  - 11. The method of claim 1, wherein:
    - the first set of information stored on the second storage device comprises a third key; and
      
      the third key is usable to decrypt the additional portion of the second cryptographic key.

12. A system comprising:
- means for reading a first cryptographic key from a first storage device; and
  
  means for using the first cryptographic key to decrypt a first set of information stored on a second storage device, whereinthe first set of information comprises at least a portion of a second cryptographic key, andinformation usable to decrypt an additional portion of the second cryptographic key,the second cryptographic key is usable to decrypt user information stored on the first storage device, andthe second storage device is separate from the first storage device.
- View Dependent Claims (13)
- - 13. The system of claim 12, whereina total of n storage devices must be accessed in order to obtain the cryptographic key usable to decrypt user information stored on the first storage device.

14. A non-transitory computer-readable storage medium comprising program instructions executable to:
- read a first cryptographic key from a first storage device; and
  
  use the first cryptographic key to decrypt a set of information stored on a second storage device, whereinthe second storage device is separate from the first storage device,the first set of information stored on the second storage device comprises;
  
  at least a portion of a second cryptographic key, andinformation usable to decrypt an additional portion of the second cryptographic key, andthe second cryptographic key is usable to decrypt user information stored on the first storage device.
- View Dependent Claims (15)
- - 15. The non-transitory computer-readable medium of claim 14, wherein the program instructions are executable to access a total of n storage devices in order to obtain the cryptographic key usable to decrypt user information stored on the first storage device.

16. A system comprising:
- a key distribution module configured to;
  
  generate a first cryptographic key and a second cryptographic key;
  
  subdivide the second cryptographic key into a plurality of portions;
  
  initiate encryption of each of the portions of the second cryptographic key,whereinat least one portion of the second cryptographic key is encrypted using the first cryptographic key; and
  
  store each encrypted portion of the second cryptographic key to a respective one of a plurality of storage devices, whereineach of the storage devices stores encrypted user data,the second cryptographic key is usable for recovery of the encrypted user dataeach of the storage devices stores a different encrypted portion of the second cryptographic key,the key distribution module is configured to;
  
  generate a plurality of first cryptographic keys, wherein the plurality of first cryptographic keys comprises the first cryptographic key,initiate encryption of each portion of the second cryptographic key using a respective one of the first cryptographic keys, wherein each of the first cryptographic keys is used to encrypt a different portion of the second cryptographic key, andstore each of the first cryptographic keys on a different one of the plurality of storage devices than the respective portion of the second cryptographic key.
- View Dependent Claims (17)
- - 17. The system of claim 16, further comprising:
    - an encryption module coupled to the key distribution module, wherein the encryption module is configured to encrypt each portion of the second cryptographic key using the respective one of the first cryptographic keys, wherein each of the first cryptographic keys is used to encrypt a different portion of the second cryptographic key.

18. A system comprising:
- a processor configured to;
  
  read a first cryptographic key from a first storage device; and
  
  a distributed decryption module configured to;
  
  use the first cryptographic key to decrypt a set of information stored on a second storage device, whereinthe second storage device is separate from the first storage device, andthe set of information is usable to obtain a second cryptographic key, andthe second cryptographic key is usable to obtain user information stored on the first storage device.
- View Dependent Claims (19)
- - 19. The system of claim 18, whereinthe distributed encryption module is configured to access a total of n storage devices in order to obtain the cryptographic key usable to decrypt user information stored on the first storage device.

20. A method comprising:
- reading a first device key from a first storage device;
  
  reading a first set of information stored on a second storage device, whereinthe second storage device is separate from the first storage device, andthe first set of information stored on the second storage device is stored in encrypted form on the second storage device;
  
  using the first device key to decrypt the first set of information stored on the second storage device, wherein the first set of information stored on the second storage device comprises;
  
  a first portion of a payload key, anda second device key,reading a first set of information stored on a third storage device, whereinthe third storage device is separate from the first and second storage devices, andthe first set of information stored on the third storage device is stored in encrypted form on the third storage device;
  
  using the second device key to decrypt the first set of information stored on the third storage device, wherein the first set of information stored on the third storage device comprisesa second portion of the payload key, andreading a payload data stored on the first storage device, wherein the payload data stored on the first storage device is stored in encrypted form on the first storage device; and
  
  using the payload key to decrypt the payload data stored on the first storage device.
- View Dependent Claims (21, 22, 23)
- - 21. The method of claim 20, further comprising:
    - reading a first set of information stored on the first storage device; and
      
      decrypting the first set of information stored on the first storage device, wherein the first set of information stored on the first storage device comprisesa third portion of the payload key.
  - 22. The method of claim 20, further comprising:
    - reading a payload data stored on the third storage device, wherein the payload data stored on the third storage device is stored in encrypted form on the third storage device; and
      
      using the payload key to decrypt the payload data stored on the third storage device.
  - 23. The method of claim 22, further comprising:
    - reading a payload data stored on the second storage device, wherein the payload data stored on the second storage device is stored in encrypted form on the second storage device; and
      
      using the payload key to decrypt the payload data stored on the second storage device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Veritas Technologies, LLC (Whitehouse Group Ltd.)
Original Assignee
Symantec Operating Corporation (Gen Digital Inc.)
Inventors
Clifford, Thomas G.
Primary Examiner(s)
Barron, Jr.; Gilberto
Assistant Examiner(s)
ZECHER, CORDELIA P K

Application Number

US11/478,812
Time in Patent Office

1,929 Days
Field of Search

713/193
US Class Current

713/193
CPC Class Codes

G06F 21/6218   to a system of files or obj...

G06F 2221/2107   File encryption

H04L 9/0894   Escrow, recovery or storing...

System and method for securely storing cryptographic keys with encrypted data

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

23 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for securely storing cryptographic keys with encrypted data

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

23 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links