Securing multifactor split key asymmetric crypto keys

US 8,340,287 B2
Filed: 03/23/2010
Issued: 12/25/2012
Est. Priority Date: 02/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for securing an asymmetric crypto-key having a public key and a split private key with a first private portion and a second private portion, comprising:

generating a first asymmetric key pair and a second asymmetric key pair, wherein a private key of the first key pair is used as a first factor which is stored on a user device, and wherein a private key of the second key pair is used as a second factor stored on a portable storage device;

generating the first private portion by cryptographically transforming the first factor and second factor;

generating a signature based on a challenge and the first private portion; and

transmitting the signature to an entity,wherein a second private portion of the split private key is stored on the entity;

wherein the first private portion and the second private portion are combinable to form a complete private key; and

wherein the second private portion cannot be accessed by the user.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for securing an asymmetric crypto-key having a public key and a split private key with multiple private portions are provided. A first one of multiple factors is stored. All of the factors are under the control of a user and all are required to generate a first private portion of the split private key. The first private portion not stored in a persistent state. A second private portion of the split private key under control of an entity other than the user is also stored. The first private portion and the second private portion are combinable to form a complete private portion.

96 Citations

View as Search Results

16 Claims

1. A method for securing an asymmetric crypto-key having a public key and a split private key with a first private portion and a second private portion, comprising:
- generating a first asymmetric key pair and a second asymmetric key pair, wherein a private key of the first key pair is used as a first factor which is stored on a user device, and wherein a private key of the second key pair is used as a second factor stored on a portable storage device;
  
  generating the first private portion by cryptographically transforming the first factor and second factor;
  
  generating a signature based on a challenge and the first private portion; and
  
  transmitting the signature to an entity,wherein a second private portion of the split private key is stored on the entity;
  
  wherein the first private portion and the second private portion are combinable to form a complete private key; and
  
  wherein the second private portion cannot be accessed by the user.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1,wherein the method further comprises storing a third factor associated with the first private portion;
    - andwherein generating the first private portion includes cryptographically transforming the second factor based on the third factor.
  - 3. The method of claim 2, wherein the third factor is not stored in a persistent state.
  - 4. The method of claim 3, further comprising:
    - generating the third factor based upon a user password.
  - 5. The method of claim 2, further comprising signing the second factor with the first factor;
    - and wherein;
      
      generating of the first portion includes combining the signed second factor with a salt and iteration count using the algorithm PKCS-5 (sign {Sha-1 (sign {Sha-1 (second factor, first factor}), third factor}, salt, iteration count).
  - 6. The method of claim 1, further comprising signing the second factor with the first factor;
    - andwherein generating the first private portion includes combining the signed second factor with a salt and an iteration count by applying the algorithm PKCS-5 (sign {Sha-1(second factor), first factor}, salt, iteration count).

7. The method of 1, further comprising:
- non-persistently storing the generated first private portion for a limited time period; and
  
  during a limited time period applying the stored first private portion to authenticate a user multiple times.

8. A system for securing an asymmetric crypto-key having a public key and a split private key with a first private portion and a second private portion, comprising:
- a cryptographic key generation mechanism configured to generate a first asymmetric key pair and a second asymmetric key pair, wherein a private key of the first key pair is used as a first factor which is stored on a user device, and wherein a private key of the second key pair is used as a second factor stored on a portable storage device;
  
  a challenge-response mechanism configured to generate the first private portion by cryptographically transforming the first factor and second factor, and further configured to generate a signature based on a challenge and the first private portion; and
  
  a communication mechanism configured to transmit the signature to an entity,wherein a second private portion of the split private key is stored on the entity;
  
  wherein the first private portion and the second private portion are combinable to form a complete private key; and
  
  wherein the second private portion cannot be accessed by the user.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The system of claim 8,further comprising a data repository configured to receive a third factor associated with the first private portion and store the third;
    - wherein the challenge-response mechanism is further configured to generate the first private portion by cryptographically transforming the second factor based on the third factor.
  - 10. The system of claim 9, wherein the third factor is not stored in a persistent state.
  - 11. The system of claim 10, whereinthe third factor is obtained based upon a user password.
  - 12. The system of claim 9, wherein:
    - the challenge-response mechanism is further configured to generate the first private portion by signing the second factor with the first factor and combining the signed second factor with a salt and iteration count by applying the algorithm PKCS-5 (sign {Sha-1 (second factor), first factor}), third factor}, salt, iteration count).
  - 13. The system of claim 8, wherein:
    - the challenge-response mechanism is further configured to generate the first private portion by signing the second factor with the first factor and combining the signed second factor with a salt and iteration count by applying the algorithm PKCS-5 (sign {Sha-1 (second factor), first factor}, salt, iteration count).
  - 14. The system of claim 8,further comprising an authentication mechanism to non-persistently store the generated first private portion for a limited time period after generation, andto apply the stored first private portion to authenticate a user multiple times during the limited time.

15. A non-transitory storage medium storing instructions which when executed by a computer cause the computer to perform a method for securing an asymmetric crypto-key having a public key and a split private key with a first private portion and a second private portion, the method comprising:
- generating a first asymmetric key pair and a second asymmetric key pair, wherein a private key of the first key pair is used as a first factor which is stored on a user device, and wherein a private key of the second key pair is used as a second factor stored on a portable storage device;
  
  generating the first private portion by cryptographically transforming the first factor and second factor;
  
  generating a signature based on a challenge and the first private portion; and
  
  transmitting the signature to an entity,wherein a second private portion of the split private key is stored on the entity;
  
  wherein the first private portion and the second private portion are combinable to form a complete private key; and
  
  wherein the second private portion cannot be accessed by the user.
- View Dependent Claims (16)
- - 16. The non-transitory storage medium of claim 15,wherein the method further comprises storing a third factor associated with the first private portion;
    - andwherein generating the first private portion includes cryptographically transforming the second factor based on the third factor.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Vmware LLC (Broadcom, Inc.)
Original Assignee
VMware, Inc. (Broadcom, Inc.)
Inventors
Sandhu, Ravinderpal Singh, Schoppert, Brett Jason, Ganesan, Ravi, Bellare, Mihir, deSa, Colin Joseph
Primary Examiner(s)
Popham, Jeffrey D

Application Number

US12/729,469
Publication Number

US 20100202609A1
Time in Patent Office

1,008 Days
Field of Search

380/44, 380/47
US Class Current

380/44
CPC Class Codes

H04L 9/0825   using asymmetric-key encryp...

H04L 9/0894   Escrow, recovery or storing...

H04L 9/3228   One-time or temporary data,...

H04L 9/3271   using challenge-response

Securing multifactor split key asymmetric crypto keys

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

96 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Securing multifactor split key asymmetric crypto keys

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

96 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links