System and method for remote reset of password and encryption key

US 8,074,078 B2
Filed: 05/15/2006
Issued: 12/06/2011
Est. Priority Date: 05/15/2006
Status: Active Grant

First Claim

Patent Images

1. A method implemented using a data storage device, the data storage device being provided with a content protection key K, the method comprising:

receiving, at a data storage device, a public key B generated from a private key b at a remote location, the private key b being stored at the remote location;

generating, at the data storage device, a private key d and a public key D from the private key d;

generating, at the data storage device, a key encryption key L from the private key d and the public key B;

encrypting the content protection key K with the key encryption key L to provide a first encrypted content protection key;

encrypting the content protection key K with a first password to provide a second encrypted content protection key;

storing the first encrypted content protection key and the second encrypted content protection key in the data storage device;

destroying the private key d and the content protection key K at the data storage device;

generating, at the data storage device, a key value r and a public key D′

from the key value r and the public key D;

transmitting the public key D′

to the remote location;

receiving, at the data storage device, a public key L′

generated from the private key b and the public key D′

at the remote location;

obtaining, at the data storage device, the key encryption key L from the inverse key value r^−

1and L′

;

decrypting the first encrypted content protection key using L to obtain the content protection key K;

decrypting content previously encrypted using the content protection key K and stored in the data storage device using the content protection key K thus obtained;

encrypting the content thus decrypted using a new content protection key K′

;

encrypting the new content protection key K′

using the key encryption key L to provide a new first encrypted content protection key; and

encrypting the new content protection key K′

with the first password to provide a new second encrypted content protection key.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for securing data and resetting a password using a content protection key is provided, in which the content protection key itself is protected by a password. A content protection key is also protected at a data storage device with a key encryption key generated in collaboration with an additional device such as a server. The server stores a private key required to regenerate the key encryption key, but this private key is not provided from the server to the data storage device; rather, a public key derived from the private key is provided by the server. The data storage device combines the received public key and a further private key to derive the key encryption key; the further private key itself is not stored by the data storage device, but rather its matching public key is stored. The content protection key is then encrypted using a password and the derived key encryption key. If the password is lost, data from the server and from the data storage device may be combined to recreate the key encryption key.

67 Citations

View as Search Results

25 Claims

1. A method implemented using a data storage device, the data storage device being provided with a content protection key K, the method comprising:
- receiving, at a data storage device, a public key B generated from a private key b at a remote location, the private key b being stored at the remote location;
  
  generating, at the data storage device, a private key d and a public key D from the private key d;
  
  generating, at the data storage device, a key encryption key L from the private key d and the public key B;
  
  encrypting the content protection key K with the key encryption key L to provide a first encrypted content protection key;
  
  encrypting the content protection key K with a first password to provide a second encrypted content protection key;
  
  storing the first encrypted content protection key and the second encrypted content protection key in the data storage device;
  
  destroying the private key d and the content protection key K at the data storage device;
  
  generating, at the data storage device, a key value r and a public key D′
  
  from the key value r and the public key D;
  
  transmitting the public key D′
  
  to the remote location;
  
  receiving, at the data storage device, a public key L′
  
  generated from the private key b and the public key D′
  
  at the remote location;
  
  obtaining, at the data storage device, the key encryption key L from the inverse key value r^−
  
  1and L′
  
  ;
  
  decrypting the first encrypted content protection key using L to obtain the content protection key K;
  
  decrypting content previously encrypted using the content protection key K and stored in the data storage device using the content protection key K thus obtained;
  
  encrypting the content thus decrypted using a new content protection key K′
  
  ;
  
  encrypting the new content protection key K′
  
  using the key encryption key L to provide a new first encrypted content protection key; and
  
  encrypting the new content protection key K′
  
  with the first password to provide a new second encrypted content protection key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The method of claim 1, further comprisingdetermining that an input password matches the first password;
    - decrypting the second encrypted content protection key using the input password to obtain the content protection key K; and
      
      using the content protection key K obtained by decrypting the second encrypted content protection key using the input password to encrypt content for storage in the data storage device.
  - 3. The method of claim 2 further comprising using the content protection key K obtained by decrypting the second encrypted content protection key using the input password to decrypt encrypted content stored in the data storage device.
  - 4. The method of claim 1, further comprising:
    - decrypting the first encrypted content protection key using L to obtain the content protection key K;
      
      encrypting the content protection key K using a new key encryption key M to provide a new first encrypted content protection key; and
      
      encrypting the content protection key K with a second password to provide a new second encrypted content protection key;
      
      wherein the new key protection key M is obtained by;
      
      receiving, at a data storage device, a public key B₁generated from a private key b₁at a remote location, the private key b₁being stored at the remote location;
      
      generating, at the data storage device, a private key d₁and a public key D₁from the private key d₁;
      
      generating, at the data storage device, the key encryption key M from the private key d₁and the public key B₁; and
      
      destroying, at the data storage device, the private key d₁and the content protection key K while retaining the new first and the new second encrypted content protection keys.
  - 5. The method of claim 1, further comprising receiving, at the data storage device, a request for a public key from the remote location, prior to generating the key value r and the public key D′
    - .
  - 6. The method of claim 1, further comprising receiving, at the data storage device, a reset password command from the remote location, prior to generating the key value r and the public key D′
    - .
  - 7. The method of claim 1, further comprising:
    - decrypting the first encrypted content protection key using L to obtain the content protection key K;
      
      decrypting content previously encrypted using the content protection key K and stored in the data storage device using the content protection key K thus obtained;
      
      encrypting the content thus decrypted using a new content protection key K′
      
      ;
      
      encrypting the new content protection key K′
      
      using the password to provide a new first encrypted content protection key; and
      
      encrypting the new content protection key K′
      
      with a new key encryption key M to provide a new second encrypted content protection key;
      
      wherein the new key protection key M is obtained by;
      
      receiving, at a data storage device, a public key B₁generated from a private key b₁at a remote location, the private key b₁being stored at the remote location;
      
      generating, at the data storage device, a private key d₁and a public key D₁from the private key d₁;
      
      generating, at the data storage device, the key encryption key M from the private key d₁and the public key B₁; and
      
      destroying, at the data storage device, the private key d₁and the new content protection key K′
      
      while retaining the new first and the new second encrypted content protection keys.
  - 8. The method of claim 4 wherein the public key B is generated from a generating point P, and the public key B₁is generated from a generating point P₁.
  - 9. The method of claim 8 wherein generating point P and generating point P₁are the same.
  - 10. The method of claim 7 wherein the public key B is generated from a generating point P, and the public key B₁is generated from a generating point P₁.
  - 11. The method of claim 10 wherein generating point P and generating point P₁are the same.
  - 12. A data storage device comprising a processor and memory adapted to carry out the method of claim 4.
  - 13. The data storage device of claim 12, wherein the data storage device is a mobile communication device.
  - 14. A computer program product comprising a non-transitory computer-readable medium storing code executable by a computing device for carrying out the method of claim 4.

15. A method implemented using a data storage device, the data storage device being provided with a content protection key K, the method comprising:
- receiving, at the data storage device, a public key B generated from a private key b at a remote location, the private key b being stored at the remote location;
  
  generating, at the data storage device, a private key d and a public key D from the private key d;
  
  generating, at the data storage device, a key encryption key L from the private key d and the public key B;
  
  encrypting the content protection key K with a first password to provide an encrypted content protection key;
  
  storing the encrypted content protection key at the data storage device;
  
  encrypting the first password with the key encryption key L to provide a first encrypted password;
  
  storing the encrypted password at the data storage device;
  
  destroying the private key d and the unencrypted content protection key K at the data storage device;
  
  generating, at the data storage device, a key value r and a public key D′
  
  from the key value r and the public key D;
  
  transmitting the public key D′
  
  to the remote location;
  
  receiving, at the data storage device, a public key L′
  
  generated from the private key b and the public key D′
  
  at the remote location;
  
  obtaining, at the data storage device, the key encryption key L from the inverse key value r^−
  
  1and L′
  
  ;
  
  decrypting the first encrypted password using L to obtain the first password;
  
  decrypting the encrypted content protection key using the first password obtained by decrypting the first encrypted password to obtain the content protection key K;
  
  decrypting content previously encrypted using the content protection key K and stored in the data storage device using the content protection key K thus obtained;
  
  encrypting the content thus decrypted using a new content protection key K′
  
  ; and
  
  encrypting the new content protection key K′
  
  using the first password to provide a new encrypted content protection key.
- View Dependent Claims (16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 16. The method of claim 15, further comprising:
    - determining that an input password matches the first password;
      
      decrypting the encrypted content protection key using the input password to obtain the content protection key K; and
      
      using the content protection key K obtained by decrypting the encrypted content protection key using the input password to encrypt content for storage in the data storage device.
  - 17. The method of claim 16 further comprising using the content protection key K obtained by decrypting the encrypted content protection key using the input password to decrypt encrypted content stored in the data storage device.
  - 18. The method of claim 15, further comprising:
    - decrypting the first encrypted password using L to obtain the first password;
      
      decrypting the encrypted content protection key using the first password obtained by decrypting the first encrypted password to obtain the content protection key K;
      
      encrypting the content protection key K using a second password to provide a new encrypted content protection key; and
      
      encrypting the second password using a new key encryption key M to provide a second encrypted password;
      
      wherein the new key protection key M is obtained by;
      
      receiving, at a data storage device, a public key B₁generated from a private key b₁at a remote location, the private key b₁being stored at the remote location;
      
      generating, at the data storage device, a private key d₁and a public key D₁from the private key d₁;
      
      generating, at the data storage device, the key encryption key M from the private key d₁and the public key B₁; and
      
      destroying the private key d₁and the content protection key K at the data storage device.
  - 19. The method of claim 15, further comprising receiving, at the data storage device, a request for a public key from the remote location, prior to generating the key value r and the public key D′
    - .
  - 20. The method of claim 15, further comprising receiving, at the data storage device, a reset password command from the remote location, prior to generating the key value r and the public key D′
    - .
  - 21. The method of claim 15, further comprising:
    - decrypting the first encrypted password using L to obtain the first password;
      
      decrypting the encrypted content protection key using the first password obtained by decrypting the first encrypted password to obtain the content protection key K;
      
      decrypting content previously encrypted using the content protection key K and stored in the data storage device using the content protection key K thus obtained;
      
      encrypting the content thus decrypted using a new content protection key K′
      
      ;
      
      encrypting the new content protection key K′
      
      using the password to provide a new encrypted content protection key; and
      
      encrypting the first password with a new key encryption key M to provide a new first encrypted password;
      
      wherein the new key protection key M is obtained by;
      
      receiving, at a data storage device, a public key B₁generated from a private key b₁at a remote location, the private key b₁being stored at the remote location;
      
      generating, at the data storage device, a private key d₁and a public key D₁from the private key d₁;
      
      generating, at the data storage device, the key encryption key M from the private key d₁and the public key B₁; and
      
      destroying the private key d₁and the new content protection key K′
      
      at the data storage device.
  - 22. The method of claim 18 wherein the public key B is generated from a generating point P, and the public key B₁is generated from a generating point P₁.
  - 23. The method of claim 22 wherein the public key B is generated from a generating point P and generating point P₁are the same.
  - 24. The method of claim 21 wherein the public key B is generated from a generating point P, and the public key B₁is generated from a generating point P₁.
  - 25. The method of claim 24 wherein the public key B is generated from a generating point P and generating point P₁are the same.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Malikie Innovations Limited (Key Patent Innovations Limited)
Original Assignee
Blackberry Limited
Inventors
Brown, Michael K., Brown, Michael S., Little, Herbert A.
Primary Examiner(s)
Vu, Kim
Assistant Examiner(s)
To, Baotran N

Application Number

US11/383,369
Publication Number

US 20070266258A1
Time in Patent Office

2,031 Days
Field of Search

713/183, 713/189, 713/193, 380/30, 380/277, 380/278, 380/279, 380/284, 380/285, 705/51, 726/5
US Class Current

713/193
CPC Class Codes

H04L 2209/24   Key scheduling, i.e. genera...

H04L 2209/60   Digital content management,...

H04L 63/00   Network architectures or ne...

H04L 9/0822   using key encryption key

H04L 9/0891   Revocation or update of sec...

H04L 9/14   using a plurality of keys o...

System and method for remote reset of password and encryption key

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for remote reset of password and encryption key

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links