Enterprise device recovery

US 8,505,075 B2
Filed: 05/02/2009
Issued: 08/06/2013
Est. Priority Date: 07/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method for an administrator of an enterprise to recover a user secure storage device in conjunction with a third-party service without the administrator knowing a user secure storage device password, the method comprising:

communicatively coupling an administrator secure storage device with a host computer;

communicatively coupling the user secure storage device with the host computer;

authenticating the administrator secure storage device to the third-party service;

causing one or more decryptions on an encrypted portion of data stored in a recovery box on the user secure storage device, the one or more decryptions performed with an enterprise private key generated by the third-party service, with a shared administrator private key generated by the administrator secure storage device, and with a user key generated by the user secure storage device to produce information associated with the user secure storage device password; and

logging the administrator into the user secure storage device using the information associated with user secure storage device password without the administrator knowing the user secure storage device password.

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An administrator of an enterprise can recover a user secure storage device in conjunction with a third-party service without the administrator knowing a user secure storage device password. The administrator secure storage device is communicatively coupled with a host computer. A user secure storage device is communicatively coupled with a host computer. The administrator secure storage device is authenticated to the third-party service. One or more decryptions are performed on an encrypted portion of data with an enterprise private key and a shared administrator private key to produce information associated with the user secure storage device password. The administrator is logged into the user secure storage device using the information associated with the user secure storage device password without the administrator knowing the user secure storage device password.

122 Citations

28 Claims

1. A method for an administrator of an enterprise to recover a user secure storage device in conjunction with a third-party service without the administrator knowing a user secure storage device password, the method comprising:
- communicatively coupling an administrator secure storage device with a host computer;
  
  communicatively coupling the user secure storage device with the host computer;
  
  authenticating the administrator secure storage device to the third-party service;
  
  causing one or more decryptions on an encrypted portion of data stored in a recovery box on the user secure storage device, the one or more decryptions performed with an enterprise private key generated by the third-party service, with a shared administrator private key generated by the administrator secure storage device, and with a user key generated by the user secure storage device to produce information associated with the user secure storage device password; and
  
  logging the administrator into the user secure storage device using the information associated with user secure storage device password without the administrator knowing the user secure storage device password.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17)
- - 2. The method of claim 1, wherein an administrator cannot recover the user secure storage device without being authorized and authenticating to the third-party service.
  - 3. The method of claim 1, wherein the third-party service cannot recover a user secure storage device without cooperation of an administrator.
  - 4. The method of claim 1, further comprising specifying which applications can be on the user secure storage device.
  - 5. The method of claim 1, wherein the information associated with the user secure storage device password comprises a hash of the user secure storage device password.
  - 6. The method of claim 1, wherein the information associated with the user secure storage device password comprises the user secure storage device password.
  - 7. The method of claim 1, further comprising receiving, at the administrator secure storage device, a password for the recovery box on the user secure storage device.
  - 8. The method of claim 1, further comprising receiving, at the administrator secure storage device, a shared administrator keypair generated by the administrator secure storage device, the shared administrative key pair including the administrator private key.
  - 9. The method of claim 1, further comprising taking a hash of a key and comparing the result against a stored value.
  - 10. The method of claim 9, wherein the stored value is a hash of a key.
  - 11. The method of claim 1, further comprising obtaining password recovery data having an encrypted key portion.
  - 12. The method of claim 1, further comprising decrypting a third encrypted portion of data with the enterprise private key to produce a second encrypted portion of data.
  - 13. The method of claim 12, further comprising decrypting the second encrypted portion of data with the shared administrator private key to produce a first encrypted portion of data.
  - 14. The method of claim 13, wherein the first encrypted portion of data comprises a first key and a hash of a second key, the method further comprising taking a hash of the first key to determine if there is a match with the hash of the second key.
  - 15. The method of claim 14, wherein the hash of the first key is the same as the hash of the second key.
  - 16. The method of claim 14, further comprising:
    - decrypting the hash of the user secure storage device password with a key that was used for encrypting the hash of the user secure storage device password; and
      
      submitting a decrypted hash of the user secure storage device password to the user secure storage device for login.
  - 17. The method of claim 16, wherein the key used to encrypt the hash of the user secure storage device password is a randomly generated key.

18. A system for facilitating an administrator of an enterprise to recover a user secure storage device in conjunction with a third-party service without the administrator knowing a user secure storage device password, the system comprising:
- an administrator secure storage device communicatively coupled with a host computer;
  
  the user secure storage device communicatively coupled with a host computer; and
  
  an administrator recovery module located on the administrator secure storage device, the administrator recovery module configured to recover a user secure storage device in conjunction with a third-party service without the administrator knowing a user secure storage device password, the administrator recovery module causing one or more decryptions on an encrypted portion of data with an enterprise private key generated by the third-party service, with a shared administrator private key generated by the administrator secure storage device, and with a user key generated by the user secure storage device.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27)
- - 19. The system of claim 18, wherein the administrator recovery module includes an administrator authentication module.
  - 20. The system of claim 19, wherein the administrator recovery module includes an administrator cryptography module.
  - 21. The system of claim 18, further comprising a password recovery box located on the user secure storage device, wherein the administrator secure storage device is configured to receive a password for the password recovery box.
  - 22. The system of claim 18, further comprising a shared administrator keypair that is received at the administrator secure storage device.
  - 23. The system of claim 18, wherein the administrator recovery module further comprises an administrator cryptography module that is configured to decrypt a third encrypted portion of data with the enterprise private key to produce a second encrypted portion of data.
  - 24. The system of claim 23, wherein the administrator cryptography module is further configured to decrypt the second encrypted portion of data with the shared administrator private key to produce a first encrypted portion of data.
  - 25. The system of claim 24, wherein the first encrypted portion of data comprises a first key and a hash of a second key, the administrator cryptography module further configured to take a hash of the first key to determine if there is a match with the hash of the second key.
  - 26. The system of claim 25, wherein the hash of the first key is the same as the hash of the second key.
  - 27. The system of claim 26, wherein the administrator cryptography module is configured to decrypt the hash of the user secure storage device password with a key that was used for encrypting the hash of the user secure storage device password, wherein the decrypted hash of the user secure storage device password is then submitted to the user secure storage device for login.

28. A non-transitory computer readable storage medium having a program embodied thereon, the program executable by a processor to perform a method for an administrator of an enterprise to recover a user secure storage device in conjunction with a third-party service without the administrator knowing a user secure storage device password, the method comprising:
- receiving a shared administrator keypair generated by an administrator secure storage device and comprising an administrator public key and an administrator private key;
  
  receiving an enterprise keypair generated by the third-party service and comprising an enterprise public key and an enterprise private key;
  
  receiving a user key generated by the user secure storage device;
  
  producing first encrypted data by encrypting data associated with the user secure storage device password using the generated user key;
  
  producing second encrypted data by encrypting the first encrypted data with the administrator public key and the enterprise public key;
  
  performing one or more decryptions on the second encrypted data with the enterprise private key, the administrator private key, and the user key to produce information associated with the user secure storage device password; and
  
  logging the administrator into the user secure storage device using the information associated with the user secure storage device password without the administrator knowing the user secure storage device password.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Proofpoint Incorporated
Original Assignee
Marble Security, Inc. (Proofpoint Incorporated)
Inventors
Jevans, David, Spencer, Gil
Primary Examiner(s)
McNally, Michael S

Application Number

US12/434,628
Publication Number

US 20090276623A1
Time in Patent Office

1,557 Days
Field of Search

726/4
US Class Current

726/4
CPC Class Codes

G06F 21/6209   to a single file or object,...

G06F 21/78   to assure secure storage of...

G06F 2221/2149   Restricted operating enviro...

G06F 2221/2153   Using hardware token as a s...

H04L 2463/062   applying encryption of the ...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/102   Entity profiles

Enterprise device recovery

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Enterprise device recovery

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links