Techniques for key distribution for use in encrypted communications
First Claim
Patent Images
1. A machine-implemented method to execute on a proxy, the method, comprising:
- receiving, from a principal and by the method, a request for an authentication token, the principal already authenticated to the method when the request is received from the principal;
obtaining, by the method, from a secure storage a secret associated with the principal, access to the secure storage is exclusive to the method and the secure storage is managed by the method, the secret is not shared with the principal, the secret supplied separately to the secret storage by an administrator for the principal and entered by the administrator on behalf of the principal using offline techniques during a different interaction than that which is associated with receiving the request from the principal, the secrete storage associated exclusively with the principal by the method; and
generating, by the method, the authentication token as an encrypted token, the authentication token when presented by the principal vouches for an identity of the principal when the principal subsequently interacts with the method and with other services or other principals, the other services or the other principals also interact with the method, the generated authentication token including some random information managed by the method to ensure subsequent encryption tokens generated are different in terms of their content even though a same encryption technique is being used with the encryption token and with the subsequent encryption tokens and storing the encrypted token and the subsequent encrypted tokens in the secret store.
11 Assignments
0 Petitions
Accused Products
Abstract
Techniques for key distribution used with encrypted communications are provided. A shared secret associated with a principal is maintained securely and separately from the principal. If a principal is authenticated, then the shared secret is acquired from secure data store and used to encrypt a session key. An encrypted authentication token is also generated. The session key is used by the principal to encrypt communications with services and the authentication token vouches for an identity of the principal.
-
Citations
12 Claims
-
1. A machine-implemented method to execute on a proxy, the method, comprising:
-
receiving, from a principal and by the method, a request for an authentication token, the principal already authenticated to the method when the request is received from the principal; obtaining, by the method, from a secure storage a secret associated with the principal, access to the secure storage is exclusive to the method and the secure storage is managed by the method, the secret is not shared with the principal, the secret supplied separately to the secret storage by an administrator for the principal and entered by the administrator on behalf of the principal using offline techniques during a different interaction than that which is associated with receiving the request from the principal, the secrete storage associated exclusively with the principal by the method; and generating, by the method, the authentication token as an encrypted token, the authentication token when presented by the principal vouches for an identity of the principal when the principal subsequently interacts with the method and with other services or other principals, the other services or the other principals also interact with the method, the generated authentication token including some random information managed by the method to ensure subsequent encryption tokens generated are different in terms of their content even though a same encryption technique is being used with the encryption token and with the subsequent encryption tokens and storing the encrypted token and the subsequent encrypted tokens in the secret store. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A machine-implemented method to execute on a device, the method, comprising:
-
automatically authenticating a principal without interaction of the principal, a separate directory service authenticating the principal separate from the method; acquiring an encrypted version of a token and an encrypted version of a session key from a secure data store in response to authenticating the principal, the method having exclusive access to the secure data store and manages the secure data store and the secure data store, the secure data store exclusively associated with the principal, each different principal having a different secure data store that is exclusively managed by the method; and delivering the encrypted version of the token and the encrypted version of the session key to the principal by permitting the principal via a separate interaction to download the encrypted version of the token and the encrypted version of the session key from the secure storage, the token vouching for an identity of the principal as the principal interacts with the method and the different principals, encryption is the same for the principal in subsequent sessions although content for subsequent encrypted versions of the token is different. - View Dependent Claims (8, 9, 10, 11, 12)
-
Specification