Methods and systems for server-side key generation

US 8,495,380 B2
Filed: 06/06/2006
Issued: 07/23/2013
Est. Priority Date: 06/06/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

transmitting, by a computer system, a request for a subject key pair;

receiving by the computer system, in response to the request, a subject private key that has been encrypted with a session key, and a subject public key;

transmitting to a token, by the computer system, (i) the encrypted subject private key, and (ii) the session key encrypted with a symmetric key that is based on the token and a master key;

transmitting to a certificate authority, by the computer system, a certificate enrollment request with information pertaining to the subject public key;

receiving, by the computer system, a certificate in response to the certificate enrollment request;

generating a storage session key;

encrypting the subject private key with the storage session key;

retrieving a storage private key;

encrypting the storage session key with the storage private key; and

storing (i) the subject private key encrypted with the storage session key, and (ii) the encrypted storage session key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for generating credentials for a token. A server detects a token, determines that the token is to be enrolled, and generates a subject key pair that includes a subject public key and subject private key. The server encrypts the subject private key with a key transport session key to obtain a wrapped private key and forwards the wrapped private key to the token.

Citations

18 Claims

1. A method comprising:
- transmitting, by a computer system, a request for a subject key pair;
  
  receiving by the computer system, in response to the request, a subject private key that has been encrypted with a session key, and a subject public key;
  
  transmitting to a token, by the computer system, (i) the encrypted subject private key, and (ii) the session key encrypted with a symmetric key that is based on the token and a master key;
  
  transmitting to a certificate authority, by the computer system, a certificate enrollment request with information pertaining to the subject public key;
  
  receiving, by the computer system, a certificate in response to the certificate enrollment request;
  
  generating a storage session key;
  
  encrypting the subject private key with the storage session key;
  
  retrieving a storage private key;
  
  encrypting the storage session key with the storage private key; and
  
  storing (i) the subject private key encrypted with the storage session key, and (ii) the encrypted storage session key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising receiving, by the computer system, an identification number associated with the token.
  - 3. The method of claim 2, further comprising:
    - deriving, by the computer system, the symmetric key based on the server master key and the identification number;
      
      generating, by the computer system, the session key; and
      
      encrypting, by the computer system, the session key with the symmetric key.
  - 4. The method of claim 3, further comprising retrieving a server transport key from a data recovery manager.
  - 5. The method of claim 4, further comprising encrypting, by the computer system, the session key with the server transport key.
  - 6. The method of claim 5, further comprising:
    - decrypting, by the computer system, the session key with a complementary private key of the server transport key to retrieve the session key; and
      
      encrypting, by the computer system, the subject private key with the session key.

7. An apparatus comprising:
- a memory to store a session key; and
  
  a processor to;
  
  transmit a request for a subject key pair,receive, in response to the request, a subject private key that has been encrypted with the session key, and a subject public key,transmit to a token (i) the encrypted subject private key and (ii) the session key encrypted with a symmetric key that is based on the token and a master key,transmit to a certificate authority a certificate enrollment request with information pertaining to the subject public key;
  
  receive a certificate in response to the certificate enrollment request,generate a storage session key,encrypt the subject private key with the storage session key,retrieve a storage private key,encrypt the storage session key with the storage private key; and
  
  store in the memory (i) the subject private key encrypted with the storage session key, and (ii) the encrypted storage session key.
- View Dependent Claims (8, 9, 10, 11, 12)
- - 8. The apparatus of claim 7, wherein the processor is further to receive an identification number associated with the token.
  - 9. The apparatus of claim 8, wherein the processor is further to:
    - derive the symmetric key based on the server master key and the identification number;
      
      generate the session key; and
      
      encrypt the session key with the symmetric key.
  - 10. The apparatus of claim 9, wherein the processor is further to retrieve a server transport key from a data recovery manager.
  - 11. The apparatus of claim 10, wherein the processor is further to encrypt the session key with the server transport key.
  - 12. The apparatus of claim 11, wherein the processor is further to:
    - decrypt the session key with a complementary private key of the server transport key to retrieve the session key; and
      
      encrypt the subject private key with the session key.

13. A non-transitory computer readable storage medium comprising instructions for causing a computer system to perform operations comprising:
- transmitting, by the computer system, a request for a subject key pair;
  
  receiving by the computer system, in response to the request, a subject private key that has been encrypted with a session key, and a subject public key;
  
  transmitting to a token, by the computer system, (i) the encrypted subject private key, and (ii) the session key encrypted with a symmetric key that is based on the token and a master key;
  
  transmitting to a certificate authority, by the computer system, a certificate enrollment request with information pertaining to the subject public key; and
  
  receiving, by the computer system, a certificate in response to the certificate enrollment request;
  
  generating a storage session key;
  
  encrypting the subject private key with the storage session key;
  
  retrieving a storage private key;
  
  encrypting the storage session key with the storage private key; and
  
  storing (i) the subject private key encrypted with the storage session key, and (ii) the encrypted storage session key.
- View Dependent Claims (14, 15, 16, 17, 18)
- - 14. The non-transitory computer readable storage medium of claim 13, wherein the operations further comprise receiving, by the computer system, an identification number associated with the token.
  - 15. The non-transitory computer readable storage medium of claim 14, wherein the operations further comprise:
    - deriving, by the computer system, the symmetric key based on the server master key and the identification number;
      
      generating, by the computer system, the session key; and
      
      encrypting, by the computer system, the session key with the symmetric key.
  - 16. The non-transitory computer readable storage medium of claim 15, wherein the operations further comprise retrieving a server transport key from a data recovery manager.
  - 17. The non-transitory computer readable storage medium of claim 16, wherein the operations further comprise encrypting, by the computer system, the session key with the server transport key.
  - 18. The non-transitory computer readable storage medium of claim 17, wherein the operations further comprise:
    - decrypting, by the computer system, the session key with a complementary private key of the server transport key to retrieve the session key; and
      
      encrypting, by the computer system, the subject private key with the session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Fu, Christina, Parkinson, Steven William, Kwan, Nang Kon
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
SHOLEMAN, ABU S

Application Number

US11/446,957
Publication Number

US 20080022121A1
Time in Patent Office

2,604 Days
Field of Search

713/185, 713/183, 713/182, 713/184, 713/186, 380/286, 380/277, 726/35, 726/36, 382/115, 340/5.82
US Class Current

713/185
CPC Class Codes

H04L 2209/603   Digital right managament [DRM]

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0853   using an additional device,...

H04L 9/0822   using key encryption key

H04L 9/3263   involving certificates, e.g...

Methods and systems for server-side key generation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for server-side key generation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links