Roaming utilizing an asymmetric key pair

US 8,213,608 B2
Filed: 09/08/2008
Issued: 07/03/2012
Est. Priority Date: 02/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for authenticating a user seeking access to information via a network from a user network location (UNL), using a asymmetric crypto-key having a private key (Dx) and a public key (Ex), with Dx split into multiple key portions including a user key portion (Dxx) and a trusted server key portion (Dxs), and with Dxx being computable based on a first factor (F1) and a second factor (F2), the method comprising:

persistently storing Dxs, F2, and a symmetric crypto-key (S) at a trusted server; and

authenticating the user by (i) receiving, at the UNL, initial authentication information as a user input, (ii) transmitting, from the UNL, the received initial authentication information, (iii) initially authenticating the user, at the trusted server, based on the transmitted initial authentication information, (iv) encrypting, at the trusted server after the initial authentication, the stored F2 with the stored S, (v) transmitting, from the trusted server, encrypted F2, (vi) receiving, at the UNL, a user input corresponding to the first factor, (vii) computing S, at the UNL, based on the input initial authentication information, (viii) decrypting the transmitted encrypted F2, at the UNL, with the computed S, (ix) computing Dxx, at the UNL, based on the user input corresponding to F1 and the decrypted F2, (x) encrypting a message, at the UNL, with the computed Dxx, (xi) transmitting the encrypted message from the UNL, and (xii) decrypting, at the trusted server, the transmitted encrypted message with the stored Dxs.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for generating a portion of a split private key are provided. A first symmetric key and a second symmetric key different than the first symmetric key are generated at a first location. The generated second symmetric key and a first one of multiple factors for generating the private key portion encrypted with the generated first symmetric key are transmitted. Then, at a second network location, the symmetric keys are again generated. The encrypted first factor is received at the second network location subsequent to a user authentication based upon the second symmetric key generated at the second network location. The received encrypted first factor is then decrypted with the first symmetric key generated at the second network location, the decrypted first factor usable to generate the portion of the split private key of the asymmetric key pair.

Citations

20 Claims

1. A method for authenticating a user seeking access to information via a network from a user network location (UNL), using a asymmetric crypto-key having a private key (Dx) and a public key (Ex), with Dx split into multiple key portions including a user key portion (Dxx) and a trusted server key portion (Dxs), and with Dxx being computable based on a first factor (F1) and a second factor (F2), the method comprising:
- persistently storing Dxs, F2, and a symmetric crypto-key (S) at a trusted server; and
  
  authenticating the user by (i) receiving, at the UNL, initial authentication information as a user input, (ii) transmitting, from the UNL, the received initial authentication information, (iii) initially authenticating the user, at the trusted server, based on the transmitted initial authentication information, (iv) encrypting, at the trusted server after the initial authentication, the stored F2 with the stored S, (v) transmitting, from the trusted server, encrypted F2, (vi) receiving, at the UNL, a user input corresponding to the first factor, (vii) computing S, at the UNL, based on the input initial authentication information, (viii) decrypting the transmitted encrypted F2, at the UNL, with the computed S, (ix) computing Dxx, at the UNL, based on the user input corresponding to F1 and the decrypted F2, (x) encrypting a message, at the UNL, with the computed Dxx, (xi) transmitting the encrypted message from the UNL, and (xii) decrypting, at the trusted server, the transmitted encrypted message with the stored Dxs.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method according to claim 1, wherein:
    - F1 corresponds to a user password;
      
      the asymmetric crypto-key is a first asymmetric crypto-key;
      
      F2 is the private key of a second asymmetric crypto-key having a private key and a public key; and
      
      the initial authentication information includes user answers to questions.
  - 3. The method according to claim 1, wherein:
    - authenticating the user further includes transmitting, from the trusted server, initial authentication questions;
      
      the initial authentication information is input in response to the transmitted initial authentication questions; and
      
      S is computed based also on the transmitted initial authentication questions.
  - 4. The method according to claim 1, wherein:
    - S is a second symmetric crypto-key (82);
      
      F2 is persistently stored, at the trusted server, encrypted with a first symmetric crypto-key (S1), different than S2;
      
      authenticating the user at the UNL further includes (i) transmitting, from the trusted server, initial authentication questions, in response to which the initial authentication information is input at the UNL, and (ii) computing S1, at the UNL, based on the transmitted initial authentication questions and the input initial authentication information;
      
      S2 is computed, at the UNL, based also on the transmitted initial authentication questions; and
      
      the transmitted encrypted F2 is also decrypted, at the UNL, with the computed S1.
  - 5. The method according to claim 4, wherein the UNL is a secondary user network location (SUNL), and the method further comprises:
    - persistently storing F2 encrypted with S1 at a primary user network location (PUNL); and
      
      authenticating the user for access to information via the network from the PUNL by (i) receiving, at the PUNL, a user input corresponding to F1, (ii) computing S1 at the PUNL, (iii) decrypting the encrypted F2 stored at the PUNL with the computed S1 (ii) computing Dxx, at the PUNL, based on the user input and the decrypted F2, (iii) encrypting a message, at the PUNL, with the computed Dxx, (iv) transmitting the encrypted message from the PUNL, and (v) decrypting the transmitted encrypted message, at the trusted server, with the stored Dxs.
  - 6. The method according to claim 4, wherein:
    - S1 is computed at the UNL based also on a key derivation algorithm and a first iteration count; and
      
      S2 is computed at the UNL based also on the key derivation algorithm and a second iteration count.
  - 7. The method according to claim 6, wherein:
    - the key derivation algorithm is the PKCS-5 algorithm; and
      
      the second iteration count is greater than the first iteration count.

8. An article of manufacture for authenticating a user seeking access via a network from a user network station (UNS) using a asymmetric crypto-key having a private key (Dx) and a public key (Ex), with Dx split into multiple key portions including a user key portion (Dxx) and an trusted server key portion (Dxs), and with Dxx being computable based on a first factor (F1) and a second factor (F2), comprising:
- non-transitory computer readable storage media; and
  
  computer programming stored on the storage media, wherein the stored computer programming is configured to be readable by computers and thereby cause the computers to operate so as to;
  
  persistently store Dxs, F2, and a symmetric crypto-key (S), at a trusted server,receive initial authentication information as a user input at the UNS,transmit the input initial authentication information from the UNS,initially authenticate the user, at the trusted server, based on the transmitted initial authentication information,encrypt, at the trusted server after the initial authentication, the stored F2 with the stored S,transmit the encrypted F2 from the trusted server,receive a user input corresponding to F1 at the UNS,compute the S, at the UNS, based on the input initial authentication information,decrypt the transmitted encrypted F2, at the UNS, with the computed S,compute Dxx, at the UNS, based on the user input corresponding to F1 and the decrypted F2,encrypt a message, at the UNS, with the computed Dxx,transmit the encrypted message from the UNS, anddecrypt the transmitted encrypted message, at the trusted server, with the stored Dxs to thereby authenticate the user for access from the UNS.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The article of manufacture according to claim 8, wherein:
    - F1 corresponds to a user password;
      
      the asymmetric crypto-key is a first asymmetric crypto-key;
      
      F2 is the private key of a second asymmetric crypto-key having a private key and a public key; and
      
      the initial authentication information includes user answers to questions.
  - 10. The article of manufacture according to claim 8, wherein the stored computer programming is further configured to be readable by computers and thereby also cause the computers to operate so as to:
    - transmit initial authentication questions from the trusted server;
      
      receive the initial authentication information at the UNS in response to the transmitted initial authentication questions; and
      
      compute S, at the UNS, based also on the transmitted initial authentication questions.
  - 11. The article of manufacture according to claim 8, wherein S is a second symmetric crypto-key (S2) and the stored computer programming is further configured to be readable by computers and thereby also cause the computers to operate so as to:
    - encrypt F2, at the trusted server, with a first symmetric crypto-key (S1), the F2 persistently stored at the trusted server being this encrypted F2;
      
      transmit initial authentication questions from the trusted server;
      
      receive the initial authentication information at the UNS in response to the transmitted initial authentication questions;
      
      compute S2, at the UNS, based also on the transmitted initial authentication questions;
      
      compute Sl, at the UNS, based on the transmitted initial authentication questions and the input initial authentication information; and
      
      decrypt the transmitted encrypted F2, at the UNS, also with the computed Sl.
  - 12. The article of manufacture according to claim 11, wherein the UNS is a secondary user network station (SUNS) and the stored computer programming is further configured to be readable by computers and thereby also cause the computers to operate so as to:
    - persistently store F2 encrypted with S1 at a primary user network station (PUNS);
      
      receive a user input corresponding to F1 at the PUNS;
      
      compute S1 at the PUNS;
      
      decrypt the encrypted F2 stored at the PUNS with the computed Sl;
      
      compute Dxx, at the PUNS, based on the user input and the decrypted F2;
      
      encrypt a message, at the PUNS, with the computed Dxx;
      
      transmit the encrypted message from the PUNS; and
      
      decrypt the transmitted encrypted message, at the trusted server, with the stored Dxs to thereby authenticate the user for access from the PUNS.
  - 13. The article of manufacture according to claim 11, wherein the stored computer programming is further configured to be readable by computers and thereby also cause the computers to operate so as to:
    - compute S1 at the UNS based also on a key derivation algorithm and a first iteration count; and
      
      compute S2 at the UNS based also on the key derivation algorithm and a second iteration count.
  - 14. The article of manufacture according to claim 13, wherein:
    - the key derivation algorithm is the PKCS-5 algorithm; and
      
      the second iteration count is greater than the first iteration count.

15. A network device for accessing a network by a user having an asymmetric crypto-key having a private key (Dx) and a public key (Ex), with Dx split into multiple key portions including a user key portion (Dxx) and an trusted server key portion (Dxs), and with Dxx being computable based on a first factor (F1) and a second factor (F2), the device comprising:
- a user interface for receiving user inputs including a first user input representing initial authentication information and a second user input corresponding to F1;
  
  a communications interface (i) for transmitting the first user input via the network, and (ii) for receiving, in response to transmission of the first user input, F2 encrypted with a symmetric crypto-key (S) via the network; and
  
  a processor having logic that is executable to (i) compute S based on the received first user input, (ii) decrypt the received encrypted F2 with the computed S, (iii) compute Dxx based on the received second user input and the decrypted F2, (iv) encrypt a message with the computed Dxx, and (vi) direct transmission of the encrypted message;
  
  wherein the communications interface is also for transmitting the encrypted message to an authenticating entity in accordance with the processor directive to thereby authenticate the user to the authenticating entity.
- View Dependent Claims (16, 17, 18, 19, 20)
- - 16. The network device according to claim 15, wherein:
    - F1 corresponds to a user password;
      
      the asymmetric crypto-key is a first asymmetric crypto-key; and
      
      F2 is the full private key of a second asymmetric crypto-key having a private key and a public key.
  - 17. The network device according to claim 15, wherein:
    - the communications interface is also for receiving initial authentication questions;
      
      the user interface receives the first user input in response to the receipt of the initial authentication questions, and the first user input includes answers to the received initial authentication questions; and
      
      the processor has further logic that is executable to compute S based also on the transmitted initial authentication questions.
  - 18. The network device according to claim 17, wherein:
    - S is a second symmetric crypto-key (S2);
      
      the received F2 is also encrypted with a first symmetric crypto-key (S1); and
      
      the processor has further logic that is executable to compute S1 based on the received initial authentication questions and the first user input, and decrypt the received encrypted F2 also with the computed S1.
  - 19. The network device according to claim 18, wherein:
    - the processor has further logic that is executable to compute (i) S1 based also on a key derivation algorithm and a first iteration count, and (i) S2 based also on the key derivation algorithm and a second iteration count.
  - 20. The network device according to claim 19, wherein:
    - the key derivation algorithm is the PKCS-5 algorithm; and
      
      the second iteration count is greater than the first iteration count.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Sandhu, Ravinderpal Singh, Schoppert, Brett Jason, Ganesan, Ravi, Bellare, Mihir, deSa, Colin Joseph
Primary Examiner(s)
Orgad, Edan
Assistant Examiner(s)
SCHMIDT, KARI L

Application Number

US12/206,304
Publication Number

US 20090222658A1
Time in Patent Office

1,394 Days
Field of Search

726 3- 7, 380/30, 380/44, 380/277, 380/283, 380/286, 713/155, 713/156
US Class Current

380/44
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 9/0822   using key encryption key

H04L 9/085   Secret sharing or secret sp...

H04L 9/0863   involving passwords or one-...

H04L 9/0897   involving additional device...

H04L 9/14   using a plurality of keys o...

H04L 9/3213   using tickets or tokens, e....

H04L 9/3236   using cryptographic hash fu...

H04L 9/3297   involving time stamps, e.g....

Roaming utilizing an asymmetric key pair

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Roaming utilizing an asymmetric key pair

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links