System and method for remote reset of password and encryption key
First Claim
1. A method implemented using a data storage device, the data storage device being provided with a content protection key K, the method comprising:
- receiving, at a data storage device, a public key B generated from a private key b at a remote location, the private key b being stored at the remote location;
generating, at the data storage device, a private key d and a public key D from the private key d;
generating, at the data storage device, a key encryption key L from the private key d and the public key B;
encrypting the content protection key K with the key encryption key L to provide a first encrypted content protection key;
encrypting the content protection key K with a first password to provide a second encrypted content protection key;
storing the first encrypted content protection key and the second encrypted content protection key in the data storage device;
destroying the private key d and the content protection key K at the data storage device;
generating, at the data storage device, a key value r and a public key D′
from the key value r and the public key D;
transmitting the public key D′
to the remote location;
receiving, at the data storage device, a public key L′
generated from the private key b and the public key D′
at the remote location;
obtaining, at the data storage device, the key encryption key L from the inverse key value r−
1 and L′
;
decrypting the first encrypted content protection key using L to obtain the content protection key K;
decrypting content previously encrypted using the content protection key K and stored in the data storage device using the content protection key K thus obtained;
encrypting the content thus decrypted using a new content protection key K′
;
encrypting the new content protection key K′
using the key encryption key L to provide a new first encrypted content protection key; and
encrypting the new content protection key K′
with the first password to provide a new second encrypted content protection key.
4 Assignments
0 Petitions
Accused Products
Abstract
A method for securing data and resetting a password using a content protection key is provided, in which the content protection key itself is protected by a password. A content protection key is also protected at a data storage device with a key encryption key generated in collaboration with an additional device such as a server. The server stores a private key required to regenerate the key encryption key, but this private key is not provided from the server to the data storage device; rather, a public key derived from the private key is provided by the server. The data storage device combines the received public key and a further private key to derive the key encryption key; the further private key itself is not stored by the data storage device, but rather its matching public key is stored. The content protection key is then encrypted using a password and the derived key encryption key. If the password is lost, data from the server and from the data storage device may be combined to recreate the key encryption key.
67 Citations
25 Claims
-
1. A method implemented using a data storage device, the data storage device being provided with a content protection key K, the method comprising:
-
receiving, at a data storage device, a public key B generated from a private key b at a remote location, the private key b being stored at the remote location; generating, at the data storage device, a private key d and a public key D from the private key d; generating, at the data storage device, a key encryption key L from the private key d and the public key B; encrypting the content protection key K with the key encryption key L to provide a first encrypted content protection key; encrypting the content protection key K with a first password to provide a second encrypted content protection key; storing the first encrypted content protection key and the second encrypted content protection key in the data storage device; destroying the private key d and the content protection key K at the data storage device; generating, at the data storage device, a key value r and a public key D′
from the key value r and the public key D;transmitting the public key D′
to the remote location;receiving, at the data storage device, a public key L′
generated from the private key b and the public key D′
at the remote location;obtaining, at the data storage device, the key encryption key L from the inverse key value r−
1 and L′
;decrypting the first encrypted content protection key using L to obtain the content protection key K; decrypting content previously encrypted using the content protection key K and stored in the data storage device using the content protection key K thus obtained; encrypting the content thus decrypted using a new content protection key K′
;encrypting the new content protection key K′
using the key encryption key L to provide a new first encrypted content protection key; andencrypting the new content protection key K′
with the first password to provide a new second encrypted content protection key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A method implemented using a data storage device, the data storage device being provided with a content protection key K, the method comprising:
-
receiving, at the data storage device, a public key B generated from a private key b at a remote location, the private key b being stored at the remote location; generating, at the data storage device, a private key d and a public key D from the private key d; generating, at the data storage device, a key encryption key L from the private key d and the public key B; encrypting the content protection key K with a first password to provide an encrypted content protection key; storing the encrypted content protection key at the data storage device; encrypting the first password with the key encryption key L to provide a first encrypted password; storing the encrypted password at the data storage device; destroying the private key d and the unencrypted content protection key K at the data storage device; generating, at the data storage device, a key value r and a public key D′
from the key value r and the public key D;transmitting the public key D′
to the remote location;receiving, at the data storage device, a public key L′
generated from the private key b and the public key D′
at the remote location;obtaining, at the data storage device, the key encryption key L from the inverse key value r−
1 and L′
;decrypting the first encrypted password using L to obtain the first password; decrypting the encrypted content protection key using the first password obtained by decrypting the first encrypted password to obtain the content protection key K; decrypting content previously encrypted using the content protection key K and stored in the data storage device using the content protection key K thus obtained; encrypting the content thus decrypted using a new content protection key K′
; andencrypting the new content protection key K′
using the first password to provide a new encrypted content protection key. - View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
-
Specification