Methods and systems for entropy collection for server-side key generation

US 8,589,695 B2
Filed: 06/07/2006
Issued: 11/19/2013
Est. Priority Date: 06/07/2006
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving entropy bits from a plurality of remote sources of entropy;

receiving an identification number associated with a token;

combining, by a processor, the entropy bits to form a combined stream of bits, wherein a number of bits in the combined stream of bits is based on a profile associated with a subject private key;

generating a subject key pair based on the combined stream of bits wherein the subject key pair comprises a subject public key and the subject private key;

encrypting the subject private key with a session key;

forwarding the encrypted subject private key for delivery to the token;

deriving a key encryption key based on a server master key and the identification number;

generating the session key based on the plurality of sources of entropy; and

encrypting the session key with the key encryption key.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods for providing a multiple source entropy feed for a PRNG that is used to generate server-side encryption keys are disclosed. A data recovery manager may collect additional entropy sources that feed into the PRNG between each key generation. The entropy may be collected from a variety of sources, for example, high-resolution timer intervals between input/output interrupts, hard disk access operations, and the like. The number of bits of entropy collected may be configured for each key generation.

Citations

27 Claims

1. A method comprising:
- receiving entropy bits from a plurality of remote sources of entropy;
  
  receiving an identification number associated with a token;
  
  combining, by a processor, the entropy bits to form a combined stream of bits, wherein a number of bits in the combined stream of bits is based on a profile associated with a subject private key;
  
  generating a subject key pair based on the combined stream of bits wherein the subject key pair comprises a subject public key and the subject private key;
  
  encrypting the subject private key with a session key;
  
  forwarding the encrypted subject private key for delivery to the token;
  
  deriving a key encryption key based on a server master key and the identification number;
  
  generating the session key based on the plurality of sources of entropy; and
  
  encrypting the session key with the key encryption key.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, further comprising:
    - retrieving a server transport key from a data recovery manager.
  - 3. The method of claim 2, further comprising:
    - encrypting the session key with the server transport key.
  - 4. The method of claim 3, further comprising:
    - decrypting the session key encrypted with the server transport key with a complementary private key of the server transport key.
  - 5. The method of claim 1, further comprising:
    - retrieving a storage key comprising a private key type; and
      
      generating a storage session key.
  - 6. The method of claim 5, further comprising:
    - encrypting the subject private key with the storage session key; and
      
      encrypting the storage session key with the storage key.
  - 7. The method of claim 6, further comprising:
    - storing the subject private key encrypted with storage session key and the encrypted storage session key in a data recovery manager.
  - 8. The method of claim 7, further comprising:
    - transmitting a certificate enrollment request with information related to the subject public key to a certificate authority module; and
      
      forwarding any received certificates to the token.

9. A system comprising:
- a security server device to interface with a security client, wherein the security server device is further to receive entropy bits from a plurality of remote sources of entropy;
  
  receive an identification number associated with a token;
  
  combine the entropy bits to form a combined stream of bits, wherein a number of bits in the combined stream of bits is based on a profile associated with a subject private key;
  
  generate a subject key pair within the security server device based on the combined stream of bits wherein the subject key pair comprises a subject public key and the subject private key;
  
  encrypt the subject private key with a session key;
  
  forward the encrypted subject private key for delivery to the token;
  
  derive a key encryption key based on a server master key and the identification number;
  
  generate the session key based on the plurality of sources of entropy; and
  
  encrypt the session key with the key encryption key.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 10. The system of claim 9, wherein the security server device further comprises:
    - a token processing gateway to manage the interface between the security client and the security server device;
      
      a key service module to interface with the token processing gateway;
      
      a certificate authority module to interface with the token processing gateway and to generate certificates; and
      
      a data recovery manager (DRM) module to interface with the token processing gateway and to maintain a database of private keys, wherein the DRM module is to store the subject private key.
  - 11. The system of claim 10, wherein the key service module is to encrypt the session key with the key encryption key.
  - 12. The system of claim 11, wherein the key service module is further to retrieve a server transport key and encrypt the session key with the server transport key.
  - 13. The system of claim 12, wherein the key service module is further to forward the session key encrypted with the key encryption key and the session key encrypted with the server transport key to the token processing gateway.
  - 14. The system of claim 13, wherein the token processing gateway is further to forward the session key encrypted with the server transport key to the DRM module.
  - 15. The system of claim 14, wherein the DRM module is further to generate the subject key pair.
  - 16. The system of claim 14, wherein the DRM module is further to retrieve a storage key and generate a storage session key.
  - 17. The system of claim 16, wherein the DRM module is further to encrypt the subject private key with the storage session key and to encrypt the storage session key with the storage key.
  - 18. The system of claim 17, wherein the DRM module is to store the subject private key encrypted with the storage session key and the encrypted storage key in a database maintained by the DRM module.
  - 19. The system of claim 15, wherein the DRM module is further to decrypt the session key encrypted with the server transport key with a complementary private key of the server transport key and encrypt the subject private key with the session key.
  - 20. The system of claim 15, wherein the DRM module is further to forward the encrypted subject private key to the token processing gateway.
  - 21. The system of claim 10, wherein the token processing gateway is further to transmit a certificate enrollment request and information related to the subject public key to the certificate authority module.
  - 22. The system of claim 21, wherein the token processing gateway is further to forward any generated certificates to the token at the security client.

23. A non-transitory computer readable storage medium having instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving entropy bits from a plurality of remote sources of entropy;
  
  receiving an identification number associated with a token;
  
  combining, by a processor, the entropy bits to form a combined stream of bits, wherein a number of bits in the combined stream of bits is based on a profile associated with a subject private key;
  
  generating a subject key pair based on the combined stream of bits wherein the subject key pair comprises a subject public key and the subject private key;
  
  encrypting the subject private key with a session key;
  
  forwarding the encrypted subject private key for delivery to the token;
  
  deriving a key encryption key based on a server master key and the identification number;
  
  generating the session key based on the plurality of sources of entropy; and
  
  encrypting the session key with the key encryption key.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The non-transitory computer readable storage medium of claim 23, the operations further comprising:
    - retrieving a server transport key from a data recovery manager.
  - 25. The non-transitory computer readable storage medium of claim 24, the operations further comprising:
    - encrypting the session key with the server transport key.
  - 26. The non-transitory computer readable storage medium of claim 25, the operations further comprising:
    - decrypting the session key encrypted with the server transport key with a complementary private key of the server transport key.
  - 27. The non-transitory computer readable storage medium of claim 23, the operations further comprising:
    - retrieving a storage key comprising a private key type; and
      
      generating a storage session key.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Red Hat, Inc. (International Business Machines Corporation)
Original Assignee
Red Hat, Inc. (International Business Machines Corporation)
Inventors
Parkinson, Steven William, Lord, Robert B.
Primary Examiner(s)
Shiferaw, Eleni
Assistant Examiner(s)
SHOLEMAN, ABU S

Application Number

US11/448,156
Publication Number

US 20080022122A1
Time in Patent Office

2,722 Days
Field of Search

713/185, 713/172, 713/186.187, 380/286, 380/277, 380/45, 380/46, 380/47, 380/48
US Class Current

713/186
CPC Class Codes

H04L 2209/603   Digital right managament [DRM]

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0853   using an additional device,...

H04L 9/0662   with particular pseudorando...

H04L 9/0822   using key encryption key

H04L 9/0869   involving random numbers or...

Methods and systems for entropy collection for server-side key generation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and systems for entropy collection for server-side key generation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links