Methods and systems for secure key delivery

US 8,098,829 B2
Filed: 06/06/2006
Issued: 01/17/2012
Est. Priority Date: 06/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method of generating keys for a token, the method comprising:

generating, by a processor, a subject key pair wherein the subject key pair includes a subject public key and a subject private key;

encrypting the subject private key with a storage session key to generate a wrapped storage private key;

retrieving a storage key associated with a data recovery manager, wherein the storage key is a private key;

encrypting the storage session key with the storage key to generate a wrapped storage session key; and

archiving the wrapped storage private key and the wrapped storage session key in the data recovery manager.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An embodiment pertains generally to a method of delivering keys in a server. The method includes generating a subject key pair, where the subject key pair includes a subject public key and a subject private key. The method also includes retrieving a storage key and encrypting the subject private key with the storage key as a wrapped storage private key. The method further includes storing the wrapped storage private key.

210 Citations

27 Claims

1. A method of generating keys for a token, the method comprising:
- generating, by a processor, a subject key pair wherein the subject key pair includes a subject public key and a subject private key;
  
  encrypting the subject private key with a storage session key to generate a wrapped storage private key;
  
  retrieving a storage key associated with a data recovery manager, wherein the storage key is a private key;
  
  encrypting the storage session key with the storage key to generate a wrapped storage session key; and
  
  archiving the wrapped storage private key and the wrapped storage session key in the data recovery manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, further comprising:
    - retrieving the storage key; and
      
      generating the storage session key.
  - 3. The method of claim 1, further comprising of determining an identification number associated with the token.
  - 4. The method of claim 3, further comprising:
    - deriving a key encryption key based on a server master key and the identification number;
      
      generating a key transport session key; and
      
      encrypting the key transport session key with the key encryption key to generate a first wrapped key transport session key.
  - 5. The method of claim 4, further comprising:
    - retrieving a server transport key; and
      
      encrypting the key transport session key with the server transport key to generate a second wrapped key transport session key.
  - 6. The method of claim 5, further comprising of forwarding the second wrapped key transport session key to a data recovery manager.
  - 7. The method of claim 6, further comprising:
    - decrypting the second wrapped key transport session key with a complementary private key of the server transport key to retrieve the key transport session key; and
      
      encrypt the subject private key with key transport session key to arrive at a wrapped private key.
  - 8. The method of claim 7, further comprising of forwarding the wrapped private key to the token.
  - 9. The method of claim 1, further comprising of transmitting a certificate enrollment request and information related to the subject public key to certificate authority.
  - 10. The method of claim 1, further comprising of forwarding any generated certificates to the token.
  - 11. An apparatus comprising:
    - a memory containing instructions; and
      
      the processor configured to execute the instructions to perform the method of claim 1.
  - 12. A non-transitory computer-readable medium comprising instructions for causing the processor to perform the method of claim 1.
  - 13. The method of claim 1, wherein the storage key is a permanent key maintained by the data recovery manager.

14. A system for generating keys, the system comprising:
- a security client configured to manage a token; and
  
  a security server comprising a processor and configured to interface with the security client, wherein the security server is configured to generate a subject key pair, wherein the subject key pair includes a subject public key and a subject private key, encrypt the subject private key with a storage session key to generate a wrapped storage private key, retrieve a storage key associated with a data recovery manager module, wherein the storage key is a private key, encrypt the storage session key with the storage key to generate a wrapped storage session key, and archive the wrapped storage private key and the wrapped storage session key.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 15. The system of claim 14, wherein the security server is further configured to execute:
    - a token processing gateway configured to manage the interface between the security client and the security server;
      
      a key service module configured to interface with the token processing gateway;
      
      a certificate authority module configured to interface with the token processing gateway and to generate certificates; and
      
      the data recovery manager module configured to interface with the token processing gateway and configured to maintain a database of private keys, wherein the data recovery manager module is configured to store the wrapped storage private key and the wrapped storage session key.
  - 16. The system of claim 15, wherein the key service module is further configured to generate a key transport session key and derive a key encryption key based on a master server key and an identification number associated with the token.
  - 17. The system of claim 16, wherein the key service module is configured to encrypt the key transport session key with the key encryption key to generate a first wrapped key transport session key.
  - 18. The system of claim 17, wherein the key service module is further configured to retrieve a server transport key and encrypt the key transport session key with the server transport key to generate a second wrapped key transport session key.
  - 19. The system of claim 18, wherein the key service module is further configured to forward the first and second wrapped key transport session keys to the token processing gateway.
  - 20. The system of claim 19, wherein the token processing gateway is further configured to forward the second wrapped key transport session key to the data recovery manager module.
  - 21. The system of claim 20, wherein the data recovery manager module is further configured to generate the subject key pair.
  - 22. The system of claim 21, wherein the data recovery manager module is configured to store the wrapped storage private key and the wrapped storage session key in a database maintained by the data recovery manager module.
  - 23. The system of claim 21, wherein the data recovery manager module is further configured to decrypt the second wrapped key transport session key with a complementary private key of the server transport key to retrieve the key transport session key and encrypt the subject private key with the key transport session key to generate a wrapped subject private key.
  - 24. The system of claim 23, wherein the data recovery manager module is further configured to forward the wrapped subject private key to the token processing gateway.
  - 25. The system of claim 15, wherein the token processing gateway is further configured to transmit a certificate enrollment request and information related to the subject public key to the certificate authority module.
  - 26. The system of claim 25, wherein the token processing gateway is further configured to forward any generated certificates to the token at the security client.
  - 27. The system of claim 14, wherein the storage key is a permanent key maintained by the data recovery manager module.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Fu, Christina, Parkinson, Steven William, Kwan, Nang Kon
Primary Examiner(s)
LAFORGIA, CHRISTIAN A

Application Number

US11/447,196
Publication Number

US 20080019526A1
Time in Patent Office

2,051 Days
Field of Search

380/281, 380/284, 380/286
US Class Current

380/286
CPC Class Codes

H04L 9/0822 using key encryption key

H04L 9/0897 involving additional device...

Methods and systems for secure key delivery

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

210 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for secure key delivery

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

210 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links