Interlocking plain text passwords to data encryption keys

US 8,516,264 B2
Filed: 04/27/2010
Issued: 08/20/2013
Est. Priority Date: 10/09/2009
Status: Active Grant

First Claim

Patent Images

1. A method of authenticating a user request for access to at least a portion of an encrypted storage device, the method comprising:

generating a unique password for authenticating a user for access to the encrypted storage device by the steps of;

generating, by a random number generator;

i) a root key to encrypt and decrypt data;

ii) a maker'"'"'s password to generate other passwords;

iii) an authentication hash key to generate hashed values of plaintext passwords; and

iv) a random data key corresponding to the unique authentication hash key, wherein the root key is stored in a one-time programmable memory in an access control system of an encryption module and not accessible outside of the access control system;

generating, by the encryption module, an encrypted data key based on the random data key, the authentication hash key and the root key;

generating, by the encryption module, a unique plaintext password for the user based on a random number and the encrypted data key;

generating, by a hash module, a hashed value of the generated plaintext password based on the authentication hash key;

storing the hashed value of the plaintext password and the corresponding encrypted data key to a key storage; and

providing the plaintext password to the user;

receiving the request for access to at least a portion of the encrypted storage device, the request including the plaintext password;

generating, by the hash module, a hashed version of the received plaintext password based on the authentication hash key;

retrieving, from the key storage, a hashed value of a generated plaintext password;

comparing, by a hash comparator, the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password; and

when the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, authenticating the user for access to at least a portion of the encrypted storage device,otherwise, denying the user access to the encrypted storage device;

changing the user'"'"'s plaintext password, by the steps of;

receiving a desired plaintext password for the user;

extracting the authentication hash key and data key from the encrypted data key; and

generating, by the hash module, a hashed version of the desired plaintext password based upon the extracted authentication hash key and the root key.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Described embodiments provide for authenticating a user request for access to at least a portion of an encrypted storage device. First, the request for access to at least a portion of the encrypted storage device is received. The request includes a plaintext password. A hash module generates a hashed version of the received plaintext password based on an authentication hash key. A hashed value of the generated plaintext password is retrieved from a key storage. A hash comparator compares the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password. If the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, the user is authenticated for access to at least a portion of the encrypted storage device. Otherwise, the user is denied access to the encrypted storage device.

Citations

16 Claims

1. A method of authenticating a user request for access to at least a portion of an encrypted storage device, the method comprising:
- generating a unique password for authenticating a user for access to the encrypted storage device by the steps of;
  
  generating, by a random number generator;
  
  i) a root key to encrypt and decrypt data;
  
  ii) a maker'"'"'s password to generate other passwords;
  
  iii) an authentication hash key to generate hashed values of plaintext passwords; and
  
  iv) a random data key corresponding to the unique authentication hash key, wherein the root key is stored in a one-time programmable memory in an access control system of an encryption module and not accessible outside of the access control system;
  
  generating, by the encryption module, an encrypted data key based on the random data key, the authentication hash key and the root key;
  
  generating, by the encryption module, a unique plaintext password for the user based on a random number and the encrypted data key;
  
  generating, by a hash module, a hashed value of the generated plaintext password based on the authentication hash key;
  
  storing the hashed value of the plaintext password and the corresponding encrypted data key to a key storage; and
  
  providing the plaintext password to the user;
  
  receiving the request for access to at least a portion of the encrypted storage device, the request including the plaintext password;
  
  generating, by the hash module, a hashed version of the received plaintext password based on the authentication hash key;
  
  retrieving, from the key storage, a hashed value of a generated plaintext password;
  
  comparing, by a hash comparator, the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password; and
  
  when the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, authenticating the user for access to at least a portion of the encrypted storage device,otherwise, denying the user access to the encrypted storage device;
  
  changing the user'"'"'s plaintext password, by the steps of;
  
  receiving a desired plaintext password for the user;
  
  extracting the authentication hash key and data key from the encrypted data key; and
  
  generating, by the hash module, a hashed version of the desired plaintext password based upon the extracted authentication hash key and the root key.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The method of claim 1, further comprising;
    - storing, to a key cache, one or more decrypted data keys.
  - 3. The method of claim 1, wherein the at least a portion of the encrypted storage device corresponds to one or more bands of the encrypted storage device.
  - 4. The method of claim 2, wherein a user password allows access to at least one corresponding hand of the storage device, and an administrative password allows access to one or more hands of the storage device.
  - 5. The method of claim 1, wherein the root key, the authentication hash key, the hashed version of the plaintext password and a corresponding unencrypted data key are accessible only within an encryption datapath of the storage device.
  - 6. The method of claim 1, wherein:
    - the root key is a pair of 256 hit keys, the plain text password is a 256 bit password, the authentication hash key is a 256 bit key, the random data key is one of a 128, 256 and 512 bit key, and the encrypted data key is one of a 448, 576 and 832 bit key.

7. A non-transitory machine-readable storage medium, having encoded thereon program code, wherein, when the program code is executed by a machine, the machine implements a method of authenticating a user request for access to at least a portion of an encrypted storage device, the method comprising:
- generating a unique password for authenticating a user for access to the encrypted storage device by the steps of;
  
  generating, by a random number generator;
  
  i) a root key to encrypt and decrypt data;
  
  ii) a maker'"'"'s password to generate other passwords;
  
  iii) an authentication hash key to generate hashed values of plaintext passwords; and
  
  iv) a random data key corresponding to the unique authentication hash key, wherein the root key is stored in a one-time programmable memory in an access control system of an encryption module and not accessible outside of the access control system;
  
  generating, by the encryption module, an encrypted data key based on the random data key, the authentication hash key and the root key;
  
  generating, by the encryption module, a unique plaintext password for the user based on a random number and the encrypted data key;
  
  generating, by a hash module, a hashed value of the generated plaintext password based on the authentication hash key;
  
  storing the hashed value of the plaintext password and the corresponding encrypted data key to a key storage; and
  
  providing the plaintext password to the user;
  
  receiving the request for access to at least a portion of the encrypted storage device, the request including the plaintext password;
  
  generating, by the hash module, a hashed version of the received plaintext password based on the authentication hash key;
  
  retrieving, from the key storage, a hashed value of a generated plaintext password;
  
  comparing, by a hash comparator, the hashed version of the received plaintext password with the retrieved hashed value of the generated plaintext password; and
  
  when the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, authenticating the user for access to at least a portion of the encrypted storage device,otherwise, denying the user access to the encrypted storage device;
  
  changing the user'"'"'s plaintext password, by the steps of;
  
  receiving a desired plaintext password for the user;
  
  extracting the authentication hash key and data key from the encrypted data key; and
  
  generating, by the hash module, a hashed version of the desired plaintext password based upon the extracted authentication hash key and the root key.
- View Dependent Claims (8, 9, 10, 11)
- - 8. The non-transitory machine-readable storage medium of claim 7, further comprisingstoring, to a key cache, one or more decrypted data keys.
  - 9. The non-transitory machine-readable storage medium of claim 7, wherein the at least a portion of the encrypted storage device corresponds to one or more bands of the encrypted storage device.
  - 10. The non-transitory machine-readable storage medium of claim 9, wherein a user password allows access to at least one corresponding band of the storage device, and an administrative password allows access to one or more bands of the storage device.
  - 11. The non-transitory machine-readable storage medium of claim 7, wherein the root key, the authentication hash key and the corresponding unencrypted data key are accessible only within an encryption datapath of the storage device.

12. An apparatus for authenticating a user for access to an encrypted storage device, the apparatus comprising:
- a random number generator configured to generate;
  
  (i) a root key to encrypt and decrypt data;
  
  (ii) a maker'"'"'s password to generate other passwords;
  
  (iii) an authentication hash key to generate hashed values of plaintext passwords; and
  
  (iv) a random data key corresponding to the unique plaintext password;
  
  an encryption module configured to (i) generate an encrypted data key based on the random data key and the root key;
  
  (ii) generate a unique plaintext password for the user based on a random number and the encrypted data key, and (iii) extract the authentication hash key and data key from the encrypted data key, wherein the root key is stored in a one-time programmable memory in an access control system of an encryption module and not accessible outside of the access control system;
  
  a hash module configured to generate (i) a hashed value of the generated plaintext password based on the authentication hash key; and
  
  (ii) a hashed version of the received plaintext password based on the authentication hash key;
  
  a key storage configured to store the hashed value of the plaintext password and the corresponding encrypted data key;
  
  a communication link configured to (i) providing the plaintext password to the user; and
  
  (ii) receive the request for access to at least a portion of the encrypted storage device, the request including the plaintext password; and
  
  a hash comparator configured to compare the hashed version of the received plaintext password with the hashed value of the generated plaintext password, wherein, when the hashed version of the received plaintext password and the retrieved hashed value of the generated plaintext password are equal, the hash comparator is configured to authenticate the user for access to at least a portion of the encrypted storage device, otherwise, the hash comparator is configured to deny the user access to the encrypted storage device,wherein the apparatus is configured to change the user'"'"'s plaintext password, by receiving a desired plaintext password for the user, extracting the authentication hash key and data key from the encrypted data key, and generating, by the hash module, a hashed version of the desired plaintext password based upon the extracted authentication hash key and the root key.
- View Dependent Claims (13, 14, 15, 16)
- - 13. The apparatus of claim 12, further comprising:
    - a key cache configured to store one or more decrypted data keys.
  - 14. The apparatus of claim 12, wherein the encrypted storage device comprises one or more bands of the encrypted storage device, wherein a user password allows access to at least one corresponding hand of the storage device, and an administrative password allows access to one or more bands of the storage device.
  - 15. The apparatus of claim 12, wherein the root key, the authentication hash key and the corresponding unencrypted data key are accessible only within an encryption datapath of the storage device.
  - 16. The apparatus of claim 12, wherein the apparatus is implemented in a monolithic integrated circuit chip.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avago Technologies International Sales Pte Limited (Broadcom, Inc.)
Original Assignee
LSI Corporation (Broadcom, Inc.)
Inventors
Munsil, Jeffrey L., Williams, Jeffrey L
Primary Examiner(s)
Tabor, Amare F

Application Number

US12/768,058
Publication Number

US 20110087890A1
Time in Patent Office

1,211 Days
Field of Search

713181-183, 713/184, 726 2- 5, 726 17- 22, 726/30
US Class Current

713/184
CPC Class Codes

G06F 21/31   User authentication

G06F 21/78   to assure secure storage of...

H04L 2209/12   Details relating to cryptog...

H04L 9/0866   involving user or device id...

H04L 9/3226   using a predetermined code,...

H04L 9/3236   using cryptographic hash fu...

Interlocking plain text passwords to data encryption keys

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Interlocking plain text passwords to data encryption keys

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links