Authorizing administrative operations using a split knowledge protocol
First Claim
1. A method for authorizing an administrative operation on a computer, comprising:
- identifying a predetermined number of entities designated to authorize the administrative operation;
generating, by a processor of the computer, a bit sequence;
splitting the bit sequence into a number of segments equal to the predetermined number of entities designated to authorize the administrative operation;
encrypting each of the segments with a key specifically associated with each entity;
decrypting, by each entity, each of the encrypted segments using a detachable storage device associated with that entity to result in individually decrypted segments;
generating a recreated bit sequence from each of the individually decrypted segments received from each entity; and
comparing the recreated bit sequence, that was generated from each of the is individually decrypted segments received from each entity, to the bit sequence where only a match between the recreated bit sequence and the bit sequence authorizes the administrative operation to be performed on the computer.
2 Assignments
0 Petitions
Accused Products
Abstract
A system and method for authorizing administrative operations in a computer is provided. The computer initiates the split knowledge protocol upon an attempt by an administrator to invoke the operations. The administrator identifies a predetermined number of entities designated to authorize the operation. The computer creates a bit sequence and splits the bit sequence into a number of segments equal to the predetermined number of entities. Each entity thereafter decrypts a respective element to essentially authorize invocation of the operations. In response, the computer processes the decrypted segments to re-create the bit sequence. As an added level of security, the computer coma) pares the re-created bit sequence with the originally created sequence and, if they match, performs the operations.
91 Citations
25 Claims
-
1. A method for authorizing an administrative operation on a computer, comprising:
-
identifying a predetermined number of entities designated to authorize the administrative operation; generating, by a processor of the computer, a bit sequence; splitting the bit sequence into a number of segments equal to the predetermined number of entities designated to authorize the administrative operation; encrypting each of the segments with a key specifically associated with each entity; decrypting, by each entity, each of the encrypted segments using a detachable storage device associated with that entity to result in individually decrypted segments; generating a recreated bit sequence from each of the individually decrypted segments received from each entity; and comparing the recreated bit sequence, that was generated from each of the is individually decrypted segments received from each entity, to the bit sequence where only a match between the recreated bit sequence and the bit sequence authorizes the administrative operation to be performed on the computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 25)
-
-
13. A system configured to authorize an administrative operation, the system comprising:
a computer comprising one or more processors configured to, in response to receiving a request to perform the administrative operation, identify a predetermined number of entities designated to authorize the administrative operation, generate a bit sequence, split the bit sequence into a number of segments equal to the predetermined number of entities, encrypt each of the segments with a key specifically associated with each entity, send each encrypted segment to its associated entity, receive decrypted segments from each entity wherein each entity uses a detachable storage device associated with that entity to perform the decryption to result in individually decrypted segments, generate a recreated bit sequence from the individually decrypted segments, and compare the recreated bit sequence, generated from the individually decrypted segments, to the bit sequence where only a match between the recreated bit sequence and the bit sequence authorizes the administrative operation to be performed. - View Dependent Claims (14, 15, 16, 17, 18)
-
19. A non-transitory computer readable medium containing executable program instructions executed by a processor, comprising:
-
program instructions that identify a predetermined number of entities designated to authorize an operation; program instructions that generate a bit sequence; program instructions that split the bit sequence into a number of segments equal to the predetermined number of entities; program instructions that encrypt each of the segments with a key specifically associated with each entity; program instructions that decrypt, at each entity, each of the encrypted segments using a detachable storage device associated with that entity to result in individually decrypted segments; program instructions that generate a recreated bit sequence from each of the individually decrypted segments received from each entity; and is program instructions that compare the recreated bit sequence, generated from each of the individually decrypted segments, to the bit sequence where only a match between the recreated bit sequence and the bit sequence authorizes the operation to be performed on a computer having one or more processors. - View Dependent Claims (20)
-
-
21. A method for authorizing an administrative operation on a computer, the method comprising:
-
identifying a predetermined number of entities designated to authorize the operation, the predetermined number of entities being designated based on the administrative operation; generating, by a processor of the computer, a bit sequence; splitting the bit sequence into a number of segments equal to the predetermined number of entities; encrypting each of the segments with a key specifically associated with at least one of the entities; decrypting, by each entity, each of the encrypted segments using a detachable storage device associated with that entity to result in individually decrypted segments; and re-generating the bit sequence from the individually decrypted segments received from each entity, wherein a match between the re-generated bit sequence, from the individually decrypted segments received from each entity, and the bit sequences authorizes the administrative operation. - View Dependent Claims (22, 23, 24)
-
Specification