System and method for initial key establishment using a split knowledge protocol
First Claim
1. A method for establishing an initial key for use in authenticating a new computer to an existing computer operatively connected in a cluster, comprising:
- generating a bit sequence on the existing computer;
splitting the bit sequence into a predetermined number of segments at the existing computer;
encrypting one or more of the segments with an associated key at the existing computer, wherein encrypting the one or more segments comprises encrypting at least one of the one or more segments with a second associated key that is different than the associated key;
transmitting the encrypted segments to the new computer;
decrypting the encrypted segments using the associated key at the new computer; and
recovering the bit sequence from the decrypted segments to establish the initial key.
3 Assignments
0 Petitions
Accused Products
Abstract
A split knowledge protocol adapted to establish an initial key for use in authenticating a first computer to a second computer. The second computer initiates the split knowledge protocol by generating a bit sequence and splitting the sequence into a predetermined number of segments. The second computer then encrypts each segment with a predetermined key associated with each segment before transmitting each encrypted segment to the first computer. In response, the first computer decrypts each encrypted segment using the associated key. The first computer then recovers the bit sequence from the decrypted segments. Accordingly, the first and second computers have knowledge of (i.e., access to) the same bit sequence, which may thus be used as the initial key.
-
Citations
20 Claims
-
1. A method for establishing an initial key for use in authenticating a new computer to an existing computer operatively connected in a cluster, comprising:
-
generating a bit sequence on the existing computer; splitting the bit sequence into a predetermined number of segments at the existing computer; encrypting one or more of the segments with an associated key at the existing computer, wherein encrypting the one or more segments comprises encrypting at least one of the one or more segments with a second associated key that is different than the associated key; transmitting the encrypted segments to the new computer; decrypting the encrypted segments using the associated key at the new computer; and recovering the bit sequence from the decrypted segments to establish the initial key. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
-
-
13. A system configured to establish an initial key in a clustered environment, comprising:
-
a second computer configured to operatively connect with a first computer in the clustered environment; the first computer configured to receive a request from the second computer, and in response, generate a bit sequence, split the bit sequence into a predetermined number of segments, encrypt one or more of the segments with a recovery key associated with at least one recovery card of a plurality of recovery cards of the clustered environment, and transmit the encrypted segments to the first computer, wherein the first computer is further configured to encrypt at least one of the one or more segments with a second associated key that is different than the associated key; and the second computer further configured to decrypt the encrypted segments using the recovery key and further configured to recover the bit sequence from the decrypted segments. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20)
-
Specification