System and method for enterprise security including symmetric key protection

US 8,175,269 B2
Filed: 07/05/2006
Issued: 05/08/2012
Est. Priority Date: 07/05/2006
Status: Active Grant

First Claim

Patent Images

1. A computer executable method for deploying a symmetric key in a software application comprising the steps of:

providing a software application as source code for installation at a plurality of computer systems;

providing an application-base-secret, associated with the source code, which is accessible by all installed instances of the software application at the plurality of computer systems;

providing an application-keypair, associated with the source code, which includes an application public key and an application private key, wherein the application public key of the application-keypair is also accessible by all of the installed instances of the software application, and wherein the application private key is associated with a utility application;

using the utility application to install a particular instance of the software application at a particular computer system, including, for the particular instancegenerating, at the time of installation of the particular instance of the software application at the particular computer system, an instance-base-secret which is unique to the particular instance of the software application,encrypting the instance-base-secret using the application private key from the application-keypair that is associated with the utility application,generating an instance-keypair, using the application-base-secret and the instance-base-secret, which includes an instance public key and an instance private key, wherein the instance-keypair is also unique to the particular instance of the software application,creating an instance certificate using a certificate authority and the instance public key from the instance-keypair, so that the instance certificate is unique to the particular instance of the software application,creating a digital signature of the encrypted instance-base-secret using the instance private key of the instance-keypair, and using the digital signature to sign the instance certificate,associating the instance certificate with the particular instance of the software application, andremoving the instance private key; and

thereafter periodically verifying the authenticity of the instance certificate.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for enterprise security including symmetric key protection. In accordance with an embodiment, the system provides a higher level of protection against unauthorized key disclosure by encrypting randomly generated seed data used for key generation, and using digital signatures and asymmetric encryption.

17 Citations

View as Search Results

20 Claims

1. A computer executable method for deploying a symmetric key in a software application comprising the steps of:
- providing a software application as source code for installation at a plurality of computer systems;
  
  providing an application-base-secret, associated with the source code, which is accessible by all installed instances of the software application at the plurality of computer systems;
  
  providing an application-keypair, associated with the source code, which includes an application public key and an application private key, wherein the application public key of the application-keypair is also accessible by all of the installed instances of the software application, and wherein the application private key is associated with a utility application;
  
  using the utility application to install a particular instance of the software application at a particular computer system, including, for the particular instancegenerating, at the time of installation of the particular instance of the software application at the particular computer system, an instance-base-secret which is unique to the particular instance of the software application,encrypting the instance-base-secret using the application private key from the application-keypair that is associated with the utility application,generating an instance-keypair, using the application-base-secret and the instance-base-secret, which includes an instance public key and an instance private key, wherein the instance-keypair is also unique to the particular instance of the software application,creating an instance certificate using a certificate authority and the instance public key from the instance-keypair, so that the instance certificate is unique to the particular instance of the software application,creating a digital signature of the encrypted instance-base-secret using the instance private key of the instance-keypair, and using the digital signature to sign the instance certificate,associating the instance certificate with the particular instance of the software application, andremoving the instance private key; and
  
  thereafter periodically verifying the authenticity of the instance certificate.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 15, 16, 19)
- - 2. The method of claim 1 wherein the symmetric key is derived by combining the application-base-secret and the instance-base-secret.
  - 3. The method of claim 1 wherein the application-base-secret and application-keypair is embedded in the software application'"'"'s source code.
  - 4. The method of claim 1 wherein the instance certificate is periodically verified by checking it against a certificate authority.
  - 5. The method of claim 1, wherein the method further comprisesremoving the private key of the instance-keypair from the installation of the software application so that the encrypted instance-base-secret and the digital signatures of the instance-base-secret is read-only.
  - 6. The method of claim 1, wherein the source code is stored on a computer readable medium, together with the application-base-secret and the application-keypair, prior to installation of the software application so that they are accessible to each of the installed instances of the software application, and wherein the instance-base-secret and the instance-keypair are subsequently generated by an installer at the computer system during installation of the particular instance of the software application.
  - 7. The method of claim 1, wherein a public key of the application-keypair is copied to a system disk to be subsequently shared by all installations of the application, and wherein a private key of the application-keypair is embedded into a separate utility application which is not installed on the disk with the rest of the application binaries, but is made available for use by the system upon request.
  - 8. The method of claim 4, wherein the instance certificate for the particular instance of the software application is periodically verified by accessing the instance certificate associated with that instance, retrieving its public key, and using that to verify the instance-base-secret previously stored in the digital signature.
  - 15. The method of claim 1, further comprisingstoring an entry for the certificate authority in a trust keystore;
    - creating a digital signature of the encrypted instance-base-secret and the trust keystore, using the private key of the instance-keypair; and
      
      deleting the private key associated with the instance.
  - 16. The method of claim 1, wherein the step of periodically verifying the authenticity of the instance certificate includes retrieving the instance certificate from the trust keystore, and using it to verify the signatures of the trust keystore and the instance base secret.
  - 19. The method of claim 1, wherein the step of using the utility application to install the particular instance of the software application at a particular computer system, further includes creating and storing a keyfile that includes the instance base secret and the instance public key.

9. A system for use in deploying a symmetric key in a software application comprising:
- a microprocessor;
  
  a software application provided as source code for installation at a plurality of computer systems;
  
  an application-base-secret, provided within the source code of the software application, wherein the application-base-secret is accessible by all installed instances of the software application at the plurality of computer systems;
  
  an application-keypair, which includes an application public key and an application private key, provided within the source code of the software application, wherein the application public key of the application-keypair is accessible by all installed instances of the software application, and wherein the application private key is associated with a utility application; and
  
  an installer at a particular computer system that incorporates the utility application and thatgenerates, at the time of installation of the software application, an instance-base-secret wherein the instance-base-secret is unique to a particular instance of the software application at the particular computer system,encrypts the instance-base-secret using the application private key from the application-keypair that is associated with the utility application,generates, during installation of the software application, an instance-keypair, using the application-base-secret and the instance-base-secret, which includes an instance public key and an instance private key, wherein the instance-keypair is also unique to the particular instance of the software application,creates an instance certificate using a certificate authority and the instance public key from the instance-keypair, so that the instance certificate is unique to the particular instance of the software application,creates a digital signature of the encrypted instance-base-secret using the instance private key of the instance-keypair, and uses the digital signature to sign the instance certificate,associates the instance certificate with the particular instance of the software application, andremoves the instance private key; and
  
  wherein the authenticity of the instance certificate is thereafter periodically verified.
- View Dependent Claims (10, 11, 12, 13, 17, 18, 20)
- - 10. The system of claim 9, wherein the installer further, after creating the instance certificate and the digital signature, removes the private key of the instance-keypair from the installation of the software application.
  - 11. The system of claim 9, wherein the source code is stored on a computer readable medium, together with the application-base-secret and the application-keypair, prior to installation of the software application so that they are accessible to each of the installed instances of the software application, and wherein the instance-base-secret and the instance-keypair are subsequently generated by an installer at the computer system during installation of the particular instance of the software application.
  - 12. The system of claim 9, wherein a public key of the application-keypair is copied to a system disk to be subsequently shared by all installations of the application, and wherein a private key of the application-keypair is embedded into a separate utility application which is not installed on the disk with the rest of the application binaries, but is made available for use by the system upon request.
  - 13. The system of claim 9, wherein the instance certificate for the particular instance of the software application is periodically verified by accessing the instance certificate associated with that instance, retrieving its public key, and using that to verify the instance-base-secret previously stored in the digital signature.
  - 17. The system of claim 9, further comprising the steps of:
    - storing an entry for the certificate authority in a trust keystore;
      
      creating a digital signature of the encrypted instance-base-secret and the trust keystore, using the private key of the instance-keypair; and
      
      deleting the private key associated with the instance.
  - 18. The system of claim 9, wherein the step of periodically verifying the authenticity of the instance certificate includes retrieving the instance certificate from the trust keystore, and using it to verify the signatures of the trust keystore and the instance base secret.
  - 20. The system of claim 9, wherein the utility application used to install the particular instance of the software application at a particular computer system, further creates and stores a keyfile that includes the instance base secret and the instance public key.

14. A non-transitory computer readable medium, including instructions stored thereon, which when read and executed by a computer cause the computer to perform the steps comprising:
- receiving a software application as source code, for installation at the computer;
  
  retrieving, from within the source code of the software application, an application-base-secret which is accessible by all installed instances of the software application;
  
  retrieving, from within the source code of the software application, an application-keypair, which includes an application public key and an application private key, wherein the application public key of the application-keypair is also accessible by all installed instances of the software application, and wherein the application private key is associated with a utility application;
  
  installing a particular instance of the software application at a particular computer system, using the utility application, including, for the particular instance,generating, at the time of installation of the particular instance of the software application at the particular computer system, an instance-base-secret which is unique to the particular instance of the software application,encrypting the instance-base-secret using the application private key from the application-keypair that is associated with the utility application,generating an instance-keypair, using the application-base-secret and the instance-base-secret, which includes an instance public key and an instance private key, wherein the instance-keypair is also unique to the particular instance of the software application,creating an instance certificate using a certificate authority and the instance public key from the instance-keypair, so that the instance certificate is unique to the particular instance of the software application,creating a digital signature of the encrypted instance-base-secret using the instance private key of the instance-keypair, and using the digital signature to sign the instance certificate,associating the instance certificate with the particular instance of the software application, andremoving the instance private key; and
  
  thereafter periodically verifying the authenticity of the instance certificate.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Oracle International Corporation (Oracle Corporation)
Original Assignee
Oracle International Corporation (Oracle Corporation)
Inventors
Pilipchuk, Denis
Primary Examiner(s)
Arani, Taghi
Assistant Examiner(s)
MEHEDI, MORSHED D

Application Number

US11/428,736
Publication Number

US 20080008316A1
Time in Patent Office

2,134 Days
Field of Search

380/45, 380/277, 713/156
US Class Current

380/45
CPC Class Codes

G06F 21/12   Protecting executable software

G06F 21/6209   to a single file or object,...

H04L 9/088   Usage controlling of secret...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

System and method for enterprise security including symmetric key protection

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

17 Citations

20 Claims

Specification

Use Cases

Quick Links

Others

System and method for enterprise security including symmetric key protection

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

17 Citations

20 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others